Singapore: Health and Pharma Overview
1. Governing Texts
In Singapore, the Personal Data Protection Act 2012 (No. 26 of 2012) ('PDPA') establishes the general data protection law governing the collection, use, and disclosure by private organisations of the personal data of individuals.
The PDPA operates as a baseline data protection law that applies across all industries in Singapore, including the healthcare and pharmaceutical industries. As such, the PDPA operates alongside existing sector-specific laws and regulations, and the PDPA's provisions are not intended to override sector-specific rules.
These sector-specific laws and regulations include the common law rules on patient and medical confidentiality, as well as various other legislation administered by various statutory bodies under the oversight of the Ministry of Health ('MOH') such as:
- the Healthcare Services Act 2020, ('HCSA') and its subsidiary legislation, including the Healthcare Services (General) Regulations 2021 ('HCSR'), which applies to a broader regulatory scope over six broad categories: clinical support services, special services, non-premises based services, ambulatory care services, hospital services and long-term care services, adopting a services-based regulatory framework and upon commencement, replacing the Private Hospitals and Medical Clinics Act 1980 ('PHMCA') and its subsidiary legislation including the Private Hospitals and Medical Clinics Regulations ('PHMCR'), which currently adopts a premises-based regulatory framework;
- the Medical Registration Act 1997 ('the Medical Registration Act') which applies to doctors;
- the Health Products Act 2007 ('HPA') which governs therapeutic products and its subsidiary legislation including the Health Products (Clinical Trials) Regulations 2016 ('HPR');
- the Medicines Act 1975 which governs medicinal products, and its subsidiary legislation including the Medicines (Clinical Trial) Regulations 2016; and
- the Human Biomedical Research Act 2015 ('HBRA') governing human biomedical research.
As mentioned above, the PHMCA will be replaced with the new HCSA which was passed by Parliament on 6 January 2020 and assented to by the President on 29 January 2020. Section 58 of the HCSA also seeks to repeal the PHMCA but since the HCSA has not commenced at the time of writing, the PHMCA and PHMCR will be discussed where relevant.
Phased implementation of the HCSA was initially targeted to begin from late 2021, with all phases activated by early 2023, to provide licensees with more preparation time. However, due to the Covid-19 pandemic, MOH has deferred both (i) the implementation of Phase 1 regulations under the HCSA and (ii) the measles and diphtheria immunity requirements among workers in services covered under the HCSA from September 2021 to 3 January 2022, which has since commenced as at the time of writing. Implementation timelines for Phases 2 and 3 will begin late 2022 and late 2023, respectively.
Under the PDPA, there are nine key data protection obligations that organisations are required to comply with, namely:
- the Consent Obligation;
- the Purpose Limitation Obligation;
- the Notification Obligation;
- the Access and Correction Obligation;
- the Accuracy Obligation;
- the Protection Obligation;
- the Retention Limitation Obligation;
- the Transfer Limitation Obligation; and
- the Accountability Obligation (collectively, 'the Data Protection Obligations').
However, data intermediaries are generally subject only to the Protection Obligation and Retention Limitation Obligation under the PDPA. A data intermediary, as defined under the PDPA, is an organisation that processes personal data on behalf of another organisation, but does not include employees of the latter.
The Personal Data Protection (Amendment) Bill 2020, ('the PDPA Amendment Act') which seeks to address Singapore's evolving digital economy needs, was passed by Parliament on 2 November 2020. The PDPA Amendment Act introduces amendments to the PDPA aimed at strengthening public trust, enhancing business competitiveness, and providing greater organisational accountability and assurance to consumers. The first phase of the PDPA Amendment Act came into effect on 1 February 2021 and permits disclosure of personal data about an individual who is a current or former patient of a licensee under the PHMCA, a licensee under the HCSA, and a prescribed healthcare body to a public agency for the purposes of policy formulation or review. The key amendments will be briefly described in the overview below where relevant.
1.2. Supervisory authorities
The following regulatory authorities and bodies are responsible for enforcing the legislation outlined above:
- the Personal Data Protection Commission ('PDPC'), which administers and enforces the PDPA;
- the Health Sciences Authority ('HSA'), which administers the HPA and the Medicines Act ;
- the MOH, which administers the PHMCA, the HCSA, and the HBRA; and
- the Singapore Medical Council ('SMC'), which administers the Medical Registration Act.
To facilitate compliance with the PDPA, the PDPC has issued various advisory guidelines, including one specifically for the healthcare sector, namely, the Advisory Guidelines for the Healthcare Sector ('the Healthcare Guidelines'). The Healthcare Guidelines provide illustrations on how the data protection provisions under the PDPA can be implemented in practice.
The MOH has also issued a set of Cybersecurity Best Practices for PHMCA Licensees ('the Cybersecurity Best Practices') which are applicable to all licensees under the PHMCA. The MOH has also since developed a set of Healthcare Cybersecurity Essentials ('HCE') with input from healthcare service providers. The HCE is meant as a 'guidance document' for PHMCA licensees, HCSA licensees, and entities providing intermediate and long-term care services in adopting basic safeguards for their IT assets and data, taking into account implementation feasibility and is pitched at the baseline cyber hygiene for licensees with a small IT setup.
It is pertinent to note that services covered under the HCSA will have to take the relevant steps to either port over their existing PHMCA licence to a HCSA licence or apply for a new HCSA licence, where Phase 1 of the implementation of the HCSA have commenced on 3 January 2022. As mentioned above, Section 58 of the HCSA also seeks to repeal the PHMCA but given that the HCSA has not commenced at the time of writing, the Cybersecurity Best Practices will remain relevant.
Additionally, the Healthcare Application & Licensing Portal ('HALP') will also replace the current eLIS system for all HCSA licence applications and renewals. It remains that licensees under the PHMCA are strongly advised to review the best practices and implement relevant measures where appropriate to help safeguard and ensure the integrity of the personal and medical data within their medical records, so as to be compliant with the PHMCR and the PDPA.
The HSA has also promulgated a number of guidelines, including:
- Guidance on Clinical Research Materials;
- Guidance on Safeguards and Consent Requirements in Vulnerable Subjects ('the Guidance on Vulnerable Subjects'); and
- Guidance on Expedited Safety Reporting Requirements for Therapeutic Products and Medicinal Products Used in Clinical Trials ('the Guidance on Expedited Safety Reporting Requirements').
In the context of clinical trials, the HSA has also adopted certain guidelines published by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use ('ICH'), including the Integrated Addendum to ICH E6(R1): Guideline for Good Clinical Practice E6(R2).
The SMC has issued the following:
The definitions of key terms covered in this article are set out below.
'Therapeutic products' falling under the regulatory purview of the HSA are defined in the First Schedule of the HPA. Generally, these refer to substances which:
- are intended for use by and in humans for a therapeutic, preventative, palliative, or diagnostic purpose;
- have, as a constituent active ingredient, such as any chemical or biological element, naturally-occurring chemical or botanical material, or chemical product obtained by chemical change or synthesis;
- exert an inherent effect either pharmacologically, chemically, or by other physiological means; and
- are not medical devices, products containing human or animal cell or tissue, genetics-related substances, blood or blood components, Chinese proprietary medicine, homeopathic medicine, medicated oil or balm, quasi-medicinal products, or traditional medicine.
'Medicinal products' are defined under the Medicines Act to mean any substance or article (not being an instrument, apparatus, or appliance) which is manufactured, sold, supplied, imported, or exported for use wholly or mainly in either or both of the following ways:
- use by being administered to one or more human beings or animals for a medicinal purpose; or
- use as an ingredient in the preparation of a substance or article which is to be administered to one or more human beings or animals for a medicinal purpose.
A 'medicinal purpose' is defined under the Medicines Act to mean any one or more of the following purposes:
- treating or preventing disease;
- diagnosing disease or ascertaining the existence, degree, or extent of a physiological condition;
- inducing anaesthesia; or
- otherwise preventing or interfering with the normal operation of a physiological function, whether permanently or temporarily, and whether by way of terminating, reducing or postponing, or increasing or accelerating, the operation of that function or in any other way.
'Personal data' is defined in the PDPA as data, whether true or not, about an individual who can be identified either:
- from that data; or
- from that data and other information to which the organisation has or is likely to have access.
New regulations that streamline and simplify the regulatory approach for the import and supply of therapeutic products, medicinal products, and medical devices for use in clinical research, including regulated clinical trials have been in force since 1 November 2016. These products are referred to as 'clinical research materials', and the following apply to clinical trials pertaining to such products:
- Clinical trials of therapeutic products, including chemical or biologic drugs, are regulated under the HPA and its subsidiary legislation, in particular, the HPR. Prior to initiating a clinical trial of a therapeutic product, either a Clinical Trial Authorisation or acceptance of a Clinical Trial Notification must be obtained. With effect from 1 October 2021, the HPR was subsequently also amended to specify additional information, such as that the provision of tissue is voluntary, to be provided to trial participants prior to obtaining consent for the collection of tissue for the purposes of regulated clinical trial.
- Clinical trials of medicinal products (e.g. cell, tissue, and gene therapy products and complementary health products) are regulated under the Medicines Act and its subsidiary legislation, in particular, the Medicines (Clinical Trials) Regulations 2016 ('the Medicines Regulations'). Prior to initiating a clinical trial of a medical product, a Clinical Trial Certificate must have been obtained.
- Clinical trials on medical devices are not regulated by the HSA at this time. However, medical devices with a planned use for a clinical purpose in any clinical research are regulated as 'clinical research material' under the Health Products (Medical Devices) Regulations 2010 ('the Health Products Regulations').
In relation to clinical trials regulated by the HSA, pursuant to Regulation 23 of the HPR and Regulation 23 of the Medicines Regulations, clinical trial records must be kept up to date and available at all times for inspection by the HSA for prescribed periods so as to:
- permit proper evaluations to be made of the conduct of the trial and the quality of the data produced; and
- demonstrate the compliance by each person involved in the trial with the principles of good clinical practice and all applicable regulatory requirements.
Sponsors of clinical trials are subject to various general reporting and notification obligations, which include, among other things, the following requirements:
- Under Regulation 12(1) of the HPR and Regulation 12(1) of the Medicines Regulations, the sponsor must, within 14 days after the end of each reporting period of a clinical trial (typically every six months), provide the HSA with a report on the status of the clinical trial in the form and manner specified by the HSA and including information such as, among others, the trial's date of commencement, the number of subjects enrolled at a trial site, whether any audit has been conducted, and whether the trial has been concluded, terminated, or suspended.
- Under Regulation 12(2) of the HPR and Regulation 12(2) of the Medicines Regulations, the HSA may also at any time require the sponsor to provide a report on the status of a clinical trial, either immediately or within a specified timeframe.
- Under Regulation 12(3) of the HPR and Regulation 12(3) of the Medicines Regulations, the sponsor must notify the HSA of the conclusion of the clinical trial within 30 days, and submit to the HSA a final report of the trial within one year after the date of conclusion, or such longer period as the HSA may allow in any particular case.
- Under Regulation 12(4) of the HPR and Regulation 12(4) of the Medicines Regulations, if the clinical trial is suspended or terminated before the conclusion date of the trial or the concluding event specified in the protocol for the trial, the sponsor must notify HSA within 15 days of such suspension or termination.
Sponsors also bear specific obligations in relation to reporting of product defects and adverse effects in clinical trials:
- Under Regulation 24 of the HPR and Regulation 24 of the Medicines Regulations, a principal investigator must immediately report any serious adverse event which occurs in a subject during a clinical trial to the sponsor to enable the sponsor to comply with its obligations under Regulation 4 of the HPR or the Medicines Regulations (as applicable).
- Under Regulation 25 of the HPR and Regulation 25 of the Medicines Regulations:
- where any unexpected serious adverse drug reaction ('USADR') occurs in a subject during a clinical trial which results in death or is life-threatening, the sponsor must ensure that all relevant information about the USADR is recorded and reported to HSA as soon as possible, and in any event not later than seven days after the sponsor first becomes aware of the event. Any additional relevant information about the USADR must also be recorded and sent to the HSA within eight days of making the record of the USADR;
- where any USADR occurs in a subject during the clinical trial, other than one which results in death or is not life-threatening, the sponsor must ensure that all relevant information about the reaction is recorded and reported to the HSA as soon as possible and not later than 15 days after the sponsor first becomes aware of the event; and
- upon a request made by the HSA, the sponsor must furnish to the HSA a report of (a) its assessment of the risks associated with a USADR and (b) the steps proposed to be taken to mitigate the risk, and to inform the person whose consent is required for a person to be a subject or to continue to be a subject in the clinical trial of the risk.
Further elaboration on these reporting requirements may be found in guidance issued by the HSA in relation to therapeutic products and medicinal products (in particular the Guidance on Expedited Safety Reporting Requirements) as well as for medical devices (GN-05: Guidance on the Reporting of Adverse Events for Medical Devices ('GN-05 Guidance')).
In addition, sponsors are also subject to the following obligations pertaining to the notification of serious breaches, which are defined under Regulation 11(4) of the HPR and Regulation 11(4) of the Medicines Regulations as a breach during a clinical trial which is likely to affect to a significant degree either the safety or physical or mental integrity of any subject of the trial, or the scientific value of the trial, and urgent safety measures:
- Under Regulation 11(1) of the HPR and Regulation 11(1) of the Medicines Regulations, the sponsor must notify the HSA in writing of any serious breach during the clinical trial of either:
- the principles of good clinical practice;
- the protocol relating to the trial as amended from time to time; and
- the HPR or the Medicines Regulations (as applicable).
- Under Regulation 11(2) of the HPR and Regulation 11(2) of the Medicines Regulations, where the relevant Institutional Review Board ('IRB') of a clinical trial requires any person to report to it any serious breach during the trial of:
- the principles of good clinical practice; or
- the protocol relating to the trial as amended from time to time, that person must do so in accordance with the requirements of the IRB.
- Under Regulation 11(3) of the HPR and Regulation 11(3) of the Medicines Regulations, where an 'urgent safety measure' under Regulation 21 of the HPR or the Medicines Regulations (as applicable) is taken in relation to a subject of the clinical trial, the sponsor must give written notice to the HSA of the measure taken and the circumstances giving rise to the measure. This must be done as soon as possible and, in any event, not later than seven days after the date the urgent safety measure is taken.
Further guidance on these requirements may be found in guidance issued by the HSA, the Clinical Trials Guidance on Notification of Serious Breach (the Clinical Trials Guidance') relating to the notification of serious breaches occurring in all phases of clinical trials regulated by the HSA. In summary, the Clinical Trials Guidance was amended on 1 March 2021 to add Cell, Tissue and Gene Therapy Products, a new category of health products regulated under the HPR, and to amend the term 'subjects' to 'trial participants'.
Data collected and processed in the course of clinical trials are, in the first instance, subject to the requirements under the HPR or the Medicines Regulations (as applicable).
Further, to the extent that such data constitutes 'personal data' as defined in the PDPA (see the section on Definitions above), its collection and processing must be carried out in accordance with the requirements of the PDPA, save where such requirements are inconsistent with the provisions of other written laws in Singapore.
These requirements are elaborated upon in further detail in the section on Consent below.
Retention restrictions in respect of such data are imposed on certain healthcare institutions pursuant to the PHMCR, as well as the MOH's 2015 National Guidelines for Retention Periods of Medical Records. Currently, all healthcare institutions licensed under the PHMCA must adhere to the Specific Licensing Terms and Conditions on Medical Records for Healthcare Institutions. Moving forward, for licensees under the HCSA, MOH will issue the Licence Conditions on the retention period of medical records under the HCSR by end-January 2022 as per MOH’s website.
In addition, the PDPA imposes a general baseline level of restrictions on the retention of personal data on all organisations collecting, using and/or disclosing personal data in Singapore.
These requirements are elaborated upon in further detail in the section on Data Management below.
Both the HPR and the Medicines Regulations set out obligations that relate, or could potentially relate, to the collection, use and/or disclosure of personal data (as defined in the PDPA).
Regulation 16 of the HPR and Regulation 16 of the Medicines Regulations require the prior consent of all subjects participating in the clinical trial, in accordance with the requirements and subject to the exceptions set out in Regulations 16 to 20 of the HPR or the Medicines Regulations (as applicable).
Such consent may be given by another person on behalf of the subject in certain circumstances, depending on factors such as the age and mental capacity of the subject.
Under Regulation 19 of the HPR and Regulation 19 of the Medicines Regulations, in obtaining the requisite consent full and reasonable explanation must be given to the subject as to certain matters, including (in relation to a subject's data):
- the persons who will be granted access to a subject's medical records and the extent of such access, including the possibility that the HSA may inspect the records; and
- the extent to which records identifying the subject will be kept confidential.
Regulation 18 of the HPR and Regulation 18 of the Medicines Regulations set out general requirements as to consent. The requisite consent must be in writing and in the form approved by both the HSA and the relevant IRB of the clinical trial. It must also be signed and dated by the person giving the consent. Alternatively, if the person is unable to sign or date this written form, the consent must then be signed and dated in the form and manner approved by the relevant IRB and be obtained in the presence of an impartial witness. If the person giving consent is unable to read, this form must be read and explained to that person in the presence of an impartial witness. In either case, the impartial witness must sign and date the written form to attest that the person's consent was freely given, and (where the form was read and explained) that the form was accurately explained to the person giving the consent. Additionally, legal representatives or family members or persons giving consent on behalf of others must act in the 'best interests' of the clinical trial subject. In determining what is in the 'best interests' of a subject in a clinical trial, pursuant to Section 6 of the Mental Capacity Act 2008, the person making the determination must, among other requirements, consider the subject's past and present wishes and feelings, and any factors which the subject would consider if he were able to do so.
Further information on the regulatory requirements for clinical trials involving subjects who cannot provide their personal consent may be found in the Guidance on Vulnerable Subjects issued by the HSA.
In addition to the foregoing, under the PDPA organisations must, as a general rule, obtain consent from individuals before collecting, using or disclosing their personal data, unless an exception specified under the First and Second Schedules to the PDPA applies.
Exceptions which may be relevant to the pharmaceutical sector include those under Parts 2 and 3 in the Second Schedule of the PDPA, which allow an organisation to use and disclose, respectively, personal data without the consent of the individual for research purposes, including historical or statistical research. Pursuant to this exception, organisations may be able to conduct retrospective research studies or registry research involving patients' personal data, without seeking consent from such patients to use and/or disclose their personal data.
In order to rely on the exceptions, the following conditions must generally be satisfied:
- the research purpose cannot reasonably be accomplished unless the personal data is used or disclosed in an individually identifiable form;
- in the case of disclosing the personal data, it is impracticable for the organisation to seek the consent of the individual for the disclosure;
- there is a clear public benefit to using or disclosing the personal data for the research purpose; and
- the results of the research will not be used to make any decision that affects the individual.
in the event that the results of the research are published, the organisation publishes the results in a form that does not identify the individual. As an alternative, the PDPC has also suggested in its Advisory Guidelines on Key Concepts in the PDPA ('the Guidelines on Key Concepts') that organisations may consider using anonymous data to conduct research, as such data is not personal data and would not be governed by the PDPA.
2.3. Data obtained from third parties
When obtaining data from someone other than the data subject, there are various obligations pertaining to the preservation of confidentiality and the disclosure of data which should also be noted in addition to the consent requirements outlined above.
Medical professionals are bound by various ethical obligations in relation to medical confidentiality. Under Paragraph C7 of the SMC's Ethical Code and Ethical Guidelines, as well as Paragraph C7 of the SMC Handbook on Medical Ethics, medical professionals are required to, among other things, maintain medical confidentiality unless patients have consented to specific disclosure to other parties, take reasonable care to ensure the security of systems used to store medical records, not access confidential patient information if they are not involved in any aspect of the patient's care, and to only disclose a patient's information without consent if there are sound justifications (such as where this is mandated by law, necessary to protect the patient or others from harm, or where is in the patient's best interests).
Allied health professionals are required under the Allied Health Professions Council's Code of Professional Conduct to keep patient records confidential, and to use information obtained in the course of their professional practice only for the purposes for which it was given, or where otherwise lawful. Additionally, they must ensure that there is no disclosure of any patient information without consent, except where it is required or permitted by law or if it is required to protect the patient or others from harm. Furthermore, they must take reasonable steps to make sure that there is no unauthorised access, use or accidental disclosure of patient information.
In addition, the PDPA as a general rule requires organisations to obtain consent from individuals before collecting, using, or disclosing their personal data unless an exception specified in the First or Second Schedules of the PDPA applies.
However, under Section 17(1) read with the First Schedule or Paragraph 3 of Part 3 of the Second Schedule of the PDPA, an organisation may disclose personal data about current or former patients of a healthcare institution licensed under the PHMCA, licensee under the HCSA or any other prescribed healthcare body, to a public agency for the purposes of policy formulation or review without the patients' consent.
Data protection and confidentiality
The regulatory provisions for confidentiality in the context of clinical trials are set out in Paragraph 11 of the First Schedule of the HPR and Paragraph 11 of the First Schedule of the Medicine Regulations. Additionally, reference should also be had to Sections 2.11, 4.8.10(n) and (o), 8.3.21 and 8.4.3 of the ICH E6 Good Clinical Practice Guidelines.
Under Regulation 13 read with Paragraph 11 of the First Schedule of the HPR, as well as Regulation 13 read with Paragraph 11 of the First Schedule of the Medicines Regulations, clinical trials must be conducted in accordance with the principles of good clinical practice. This includes protecting the confidentiality of records that could identify subjects, and respecting the privacy and confidentiality rules in accordance with any applicable written law or rule or principle of law.
In addition, under Section 2.11 of the ICH E6 Good Clinical Practice Guidelines, the confidentiality of records that could identify subjects should be protected, respecting the privacy and confidentiality rules in accordance with the applicable regulatory requirement(s).
Furthermore, under Sections 4.8.10(n) and (o) of the ICH E6 Good Clinical Practice Guidelines, both the informed consent discussion and the written informed consent form and any other written information provided to subjects should include explanations stating that:
- the monitor(s), the auditor(s), the IRB/IEC, and the regulatory authority/authorities will be granted direct access to the subject's original medical records for verification of clinical trial procedures and/or data, without violating the confidentiality of the subject, to the extent permitted by the applicable laws and regulations and that, by signing a written informed consent form, the subject or the subject's legally acceptable representative is authorising such access; and
- that records identifying the subject will be kept confidential and, to the extent permitted by the applicable laws and/or regulations, will not be made publicly available. If the results of the trial are published, the subject's identity will remain confidential.
Moreover, during the clinical conduct of the trial, a Subject Identification Code List should also be kept (Section 8.3.21 of the ICH E6 Good Clinical Practice Guidelines) and completed after completion or termination of the trial (Section 8.4.3 of the ICH E6 Good Clinical Practice Guidelines).
In addition to the foregoing, Section 24 of the PDPA requires an organisation to make reasonable security arrangements to protect personal data in its possession or under its control in order to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks.
The PDPC has stated in Paragraph 17.2 of the Guidelines on Key Concepts in the PDPA that there is no 'one-size-fits-all' solution for organisations to comply with the Protection Obligation. Each organisation should consider adopting security arrangements that are reasonable and appropriate in the circumstances, taking into consideration, for example, the nature of the personal data, the form in which the personal data has been collected and the possible impact to the individual concerned if an unauthorised person obtained, modified or disposed of the personal data.
Separately, the PHMCA and the HCSA (when it comes into operation) also contain provisions relating to the protection of confidential information such as patients' medical records, diagnosis, or treatment.
The Medicines Act and HPA impose pharmacovigilance obligations on licensees in relation to the monitoring and notifying of serious adverse events arising from use of their medicinal products (e.g. complementary health products) or health products, including medical devices.
There are no specific requirements for the pseudonymisation/anonymisation of data under such pharmacovigilance obligations.
However, these pharmacovigilance obligations also operate alongside the Data Protection Obligations under the PDPA, particularly the Consent and Transfer Limitation Obligations.
Specifically, in respect of anonymised data, the PDPC's Advisory Guidelines on the PDPA for Selected Topics ('Selected Topics Guidelines') states that such data would not constitute personal data for the purposes of the PDPA. Accordingly, the Data Protection Obligations would not apply to such anonymised data.
However, if the anonymised data can, when combined with other information, identify an individual, such anonymised data will be rendered personal data again, to which the Data Protection Obligations would consequently apply.
Nonetheless, the PDPC has indicated in the Selected Topics Guidelines that it will adopt a practical approach towards anonymisation and the risks of re-identification, such that if the possibility of re-identification is trivial, the PDPC will consider the data in question anonymised. In January 2018, the PDPC released a guide to basic anonymisation techniques for organisations that share data with other entities to reduce the risk of unauthorised disclosure of personal data.
The PDPA also provides for circumstances in which an individual would be deemed to have consented to the collection, use or disclosure of their personal data, such as where the individual has voluntarily provided their personal data to the organisation for a particular purpose, and it is reasonable for the individual to voluntarily provide the data.
Biobanking, or 'tissue banking activity' is regulated under the HBRA. Among the key definitions in the HBRA are:
- a 'tissue bank', which is defined as an individual or a body of persons, whether incorporated or unincorporated, or other organisation, that carries on or conducts any tissue banking activity but excludes an individual, a body of persons or an organisation that conducts any tissue banking activity solely for the purpose of the person's or organisation's own human biomedical research approved or exempted from review by an IRB; and
- 'tissue banking activity', which is defined as a structured and an organised activity involving human tissue for the purposes of facilitating current or future research or for public health or epidemiological purposes or any combination of such purposes including any of the following activities:
- the collection, storage, procurement or importation of human tissue; or
- the supply, provision or export of human tissue.
Pursuant to the HBRA (Commencement) Notification 2019, the Human Tissue Framework ('HTF Framework') under the HBRA and the Human Biomedical Research (Tissue Banking) Regulations 2019 entered into force on 1 November 2019. Under the HTF Framework, tissue banks must ensure that all tissue banking activities are in compliance with the HBRA, and conducted in accordance with institutional standards, policies, and procedures.
In relation to licensees under the HCSA, Regulation 37 of the HCSR requires a licensee to keep and maintain an accurate, complete, and up-to-date patient health records containing patient information such as their name, identification or passport number, gender, date of birth, which must be retained for such periods and in such manner as may be required by the MOH. Further, the record must also contain a range of information comprising clinical findings and progress notes, clinical management and care plan and discharge summary, if available to the licensee. Licensees must consequently ensure that every patient health record accurately and clearly sets out any follow-up action identified as being appropriate and necessary for the patient, and accurately set out whether the follow-up action was taken and if none, the reason for the failure.
Various requirements relating to the safeguarding of these records, the maintenance of their confidentiality, integrity, and maintenance, and to take reasonable care of their disposal or destruction are also imposed by Regulation 38 of the HCSR.
A similar requirement can be found for healthcare institutions licensed under the PHMCA. For comparison, Regulation 12 of the PHMCR requires every licensee of a private hospital, medical clinic, or healthcare establishment to keep and maintain proper medical records containing such patient particulars as may be specified by MOH, which must be retained for such periods as may be required by the MOH. Regulation 12 also imposes various requirements relating to the safeguarding of these records, the maintenance of their accuracy, and the security of their disposal or destruction.
The MOH has also issued the 2015 National Guidelines for Retention Periods of Medical Records, which seeks to standardise best practices and ensure that medical records retention practices meet medical and legal requirements. These include the following retention periods:
- computerised or electronic medical records should be retained for at least six years after the patient's lifetime;
- paper hospital or inpatient records (including private and community hospitals) should be retained for 15 years (for adults), until the patient is 24 years of age (for minors), or six years after the patient's lifetime (for patients lacking mental capacity);
- paper intermediate and long-term care records should be retained for 15 years;
- paper ambulatory or outpatient records (including polyclinics, GPs, and private specialists) should be retained for six years or longer for 'high risk' patients;
- electronic patient registers should be retained for at least six years after the patient's lifetime;
- diagnostic images should be retained for six years; and
- assisted reproduction records should be retained for six years after the child's lifetime.
Turning to the PDPA, the Purpose Limitation Obligation (specifically, Section 18 of the PDPA) provides that an organisation may collect, use or disclose personal data about an individual only for purposes:
- that a reasonable person would consider appropriate in the circumstances; and
- which the individual has been informed of by the organisation (pursuant to the Notification Obligation, where applicable).
Whether or not a purpose is 'reasonable' depends on whether a reasonable person would consider it appropriate in the circumstances. The particular circumstances involved should, as such, be taken into account in determining whether the purpose of collection, use, or disclosure is reasonable in any given case. Examples of purposes unlikely to be considered appropriate by a reasonable person would include purposes which are in violation of law or which would result in harm to the individual concerned.
The Notification Obligation under the PDPA (specifically, Section 20 of the PDPA) sets out the obligation of organisations to inform individuals of the purposes for which their personal data will be collected, used and disclosed in order to obtain their consent. The organisation's collection, use, and disclosure is limited to the purposes for which notification has been made to the individuals concerned.
Under Section 20(1) of the PDPA, organisations must inform the individual of:
- the purposes for the collection, use and disclosure of the individual's personal data, on or before collecting such personal data; or
- any purpose for use or disclosure of personal data which has not been informed under Section 20(1)(a) of the PDPA, before such use or disclosure of personal data for that purpose.
However, organisations are not required to inform individuals of the purposes for which their personal data will be collected, used, or disclosed where the individual is deemed to have consented, or where an applicable exception to the consent requirement applies.
The Access and Correction Obligations under Sections 21 and 22 of the PDPA provide for the rights of individuals to request access to, and the correction of, their personal data that is in the possession or under the control of an organisation, and the organisation's corresponding obligations to provide access to, and to correct, such data.
Under Section 21(1) of the PDPA, upon request by an individual, an organisation shall provide the individual with the following as soon as reasonably possible:
- personal data about the individual that is in the possession or under the control of the organisation; and
- information about the ways in which that personal data has been or may have been used or disclosed by the organisation within a year before the date of the individual's request.
An organisation's obligation in responding to an access request is to provide the individual access to the complete set of personal data requested by the individual which is in the organisation's possession or under its control, unless any relevant exception in Section 21 or the Fifth Schedule to the PDPA applies. These exceptions include, among others:
- opinion data kept solely for an evaluative purpose;
- personal data subject to legal privilege;
- personal data which, if disclosed, would reveal confidential commercial information that could, in the opinion of a reasonable person, harm the competitive position of the organisation;
- where the burden or expense of providing access would be unreasonable to the organisation or disproportionate to the individual's interests; or
- where the provision of access could reasonably be expected to threaten the safety or physical or mental health of an individual other than the individual who made the request.
Under Section 22(1) of the PDPA, an individual may submit a request for an organisation to correct an error or omission in the individual's personal data that is in the possession or under the control of the organisation.
Upon receipt of a correction request, the organisation is required to consider whether the correction should be made. Unless the organisation is satisfied on reasonable grounds that the correction should not be made, it should:
- correct the personal data as soon as practicable; and
- send the corrected personal data to every other organisation to which the personal data was disclosed by the organisation within a year before the date the correction request was made, unless that other organisation does not need the corrected personal data for any legal or business purpose.
The obligation to correct personal data is subject to a number of exceptions set out in Section 22 and the Sixth Schedule of the PDPA. Section 22(6) provides that an organisation shall not be required to correct or otherwise alter an opinion, including a professional or an expert opinion. One such exception in the Sixth Schedule relates to personal data which is opinion data kept solely for an evaluative purpose as defined under the PDPA.
The Accuracy Obligation under Section 23 of the PDPA requires an organisation to make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the personal data:
- is likely to be used by the organisation to make a decision that affects the individual to whom the personal data relates; or
- is likely to be disclosed by the organisation to another organisation.
The Protection Obligation under Section 24 of the PDPA requires an organisation to make reasonable security arrangements to protect personal data in its possession or under its control. The PDPC has stated in its Healthcare Guidelines that there is no 'one-size-fits-all' solution for organisations to comply with the Protection Obligation, and that generally, where the personal data stored is regarded as more confidential and where the adverse impact to individuals is significantly greater if such personal data were inadvertently accessed (e.g. relating to sensitive medical conditions), tighter security arrangements should be employed. As such, healthcare institutions should consider the nature of the personal data in their possession or under their control (as the case may be) to determine the security arrangements that are reasonable and appropriate in the circumstances.
In relation to patient files and records, the Retention Obligation under Section 25 of the PDPA requires an organisation to cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that the purpose for which that personal data was collected is no longer being served by retention of the personal data, and retention is no longer necessary for legal or business purposes. The PDPC has stated in its Healthcare Guidelines that generally speaking, retaining personal data of existing patients for the purpose of having access to their consultation history would be considered a business purpose, and that the PDPA does not require an organisation to delete all personal data about the individual concerned upon receipt of a notice withdrawing consent.
The PDPC has further stated that while the PDPA does not prescribe a specific retention period for personal data, healthcare institutions should nonetheless review the personal data they hold on a regular basis to determine if that personal data is still needed. Generally, healthcare institutions should not retain personal data when it is no longer necessary for the purposes for which the personal data was collected or for any legal or business purpose.
The Accountability Obligation under the PDPA (specifically, Section 11(3) of the PDPA) requires an organisation to designate one or more individuals to be responsible for ensuring that the organisation complies with the PDPA. This individual is typically referred to as a data protection officer ('DPO').
The DPO plays an essential role in the organisation meeting its obligations under the PDPA. His/her responsibilities include working with senior management to implement data protection policies and practices, which may include producing a personal data inventory, conducting data protection impact assessments, risk monitoring, internal training, and other matters. Section 11(5) of the PDPA requires an organisation to make available the business contact information of a person who is able to answer questions on behalf of the organisation relating to the collection, use, or disclosure of personal data.
Separately, the PDPC has also published a Guide to Data Protection Practices for ICT Systems (14 September 2021) ('the ICT Guide'). The PDPC has formulated checklists of basic and enhanced practices for organisations to ensure a minimum level of data protection, covering three main categories for each stage of the data lifecycle. These comprise:
- policy/ risk management for ICT systems;
- ICT control measures; and
- Standard Operating Procedures/ Information Technology operations.
The PDPC has further noted in the ICT Guide, that coding issues have been raised as the main cause of a few recent data breach incidents. Hence, organisations can refer specifically to the checklist on ICT Security and Testing to design, test, and maintain ICT systems capable of protecting personal data stored to target current and emerging ICT security threats.
Healthcare institutions may opt to outsource the processing of personal data collected by them to data intermediaries engaged for this purpose. In such situations, the PDPA provides that a data intermediary that processes personal data on behalf and for the purposes of another organisation pursuant to a contract which is evidenced or made in writing will only be subject to the Protection Obligation and Retention Limitation Obligation and not any of the other data protection provisions within the PDPA. However, in respect of other activities that do not constitute processing of personal data on behalf and for the purposes of another organisation that is pursuant to a contract evidenced or made in writing, the data intermediary remains responsible for complying with all Data Protection Obligations in the PDPA.
An organisation that engages a data intermediary is also not relieved of its own obligations under the PDPA. Under Section 4(3) of the PDPA, the organisation that engages the data intermediary still retains the same obligations under the PDPA in respect of personal data processed on its behalf as if the personal data were processed by the organisation itself.
Under the PDPA, 'personal data' is broadly defined as data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access. However, the PDPA does not distinguish personal data based on the degree of sensitivity of such data; all organisations, including those intending to transfer personal data out of Singapore, are required to comply with the Data Protection Obligations under the PDPA.
However, the sensitivity of personal data may nonetheless be relevant under the PDPA. For example, the Protection Obligation requires an organisation to make reasonable security arrangements to protect personal data in its possession, or under its control, in order to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal, or similar risks. In determining what security arrangements would be 'reasonable,' the Guidelines on Key Concepts in the PDPA state that a relevant consideration would be the sensitivity of the personal data in question.
In addition, in the event of a breach of the Data Protection Obligations, the PDPC may consider certain aggravating and mitigating factors in calculating the financial penalty to be imposed on the organisation. In particular, the fact that the organisation is in the business of handling large volumes of sensitive personal data (such as National Registration Identity Card numbers, medical or financial data or minors' personal data), the disclosure of which may cause exceptional damage, injury, or hardship to individuals, but failed to put in place adequate safeguards proportional to the harm that might be caused by disclosure of that personal data, would be an aggravating factor (based on the PDPC's Advisory Guidelines on Enforcement for Data Protection Provisions ('Enforcement Guidelines')).
Additionally, in light of its introduction of a mandatory data breach notification requirement under the PDPA, the Personal Data Protection (Notification of Data Breaches) Regulations 2021 have been implemented (‘Data Breach Regulations’). The Data Breach Regulations have categorised the unauthorised disclosure of certain types of sensitive personal data such as national identification numbers, health records, financial information and criminal records as a data breach deemed to result in significant harm to an individual as compared to other forms of personal data such as names and email addresses.
Where a data breach is deemed to result in significant harm to the affected individuals, organisations are required notify the PDPC and subject to the exceptions in sections 26D(5) to 26D(7) of the PDPA, the affected individuals. The PDPC has indicated that the purpose of notifying the affected individuals is to allow the affected individuals the opportunity to take steps to protect themselves from the risks of harm or impact from the data breach, such as by reviewing suspicious account activities, cancelling credit cards, or changing passwords.
In relation to the transfer of personal data covered by the PDPA, the Transfer Limitation Obligation under Section 26 of the PDPA prohibits organisations from transferring personal data out of Singapore except in accordance with the requirements under the PDPA. Under the Personal Data Protection Regulations 2021 ('PDP Regulations'), organisations transferring personal data out of Singapore must ensure that the overseas recipients of the transferred personal data are bound by 'legally enforceable obligations' to provide to the transferred personal data a standard of protection at least comparable to that accorded by the PDPA (Regulation 10(1) of the PDP Regulations). 'Legally enforceable obligations' include obligations imposed by law, contract, binding corporate rules (in the case of intra-corporate transfers), or any other legally binding instrument (Regulation 11(1) of the PDP Regulations).
An organisation would be taken to have complied with Regulation 10(1) of the PDP Regulations when (per Regulation 10(2) of the PDP Regulations):
- the individual has consented to the transfer of his/her personal data, subject to the following conditions:
- before giving consent, the individual was given a reasonable summary in writing of the extent to which his/her personal data to be transferred out of Singapore will be protected to a standard comparable to the protections afforded under the PDPA;
- the transferring organisation did not require the individual to consent to the transfer as a condition of providing a product or service, unless the transfer is reasonably necessary to provide the product or service to the individual; or
- the transferring organisation did not obtain or attempt to obtain the individual's consent to transfer his/her personal data by providing false or misleading information about the transfer, or by using other deceptive or misleading practices.
- the transfer is necessary for the performance of a contract between the organisation and the individual, or to do anything at the individual's request with a view to his/her entering a contract with the organisation;
- the transfer is necessary for the conclusion or performance of a contract between the organisation and a third party which is entered into at the individual's request, or which a reasonable person would consider to be in the individual's interest;
- the transfer is necessary for a use or disclosure in certain situations where the consent of the individual is not required under the PDPA (e.g. use or disclosure is necessary to respond to an emergency that threatens the life, health, or safety of an individual), provided that the organisation has taken reasonable steps to ensure that the transferred personal data will not be used or disclosed for any other purpose;
- the personal data is data in transit; or
- the personal data is publicly available in Singapore.
A data breach refers to the unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data or the loss of any storage medium or device on which personal data is stored in circumstances where the unauthorised access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur.
A mandatory breach notification regime was introduced in Part VIA of the PDPA when the PDPA Amendment Bill partially came into effect on 1 February 2021. As mentioned above, this is through the Personal Data Protection (Notification of Data Breaches) Regulations 2021.
Under the new regime, organisations are required to notify the PDPC of any data breach where there is a risk of impact or harm to affected individuals, or where there is a significant scale of breach (e.g. the data breach involves the personal data of 500 or more affected individuals). The PDPC should be notified as soon as practicable but no later than 72 hours from the time the organisation becomes aware of the data breach.
Organisations will only be required to notify affected individuals of a data breach where there is a risk of significant impact or harm to affected individuals subject to certain exceptions. Where required, organisations should notify the affected individuals as soon as practicable.
Follow-up amendments to the regime have been made via the Personal Data Protection (Notification of Data Breaches) (Amendment) Regulations 2021 and Personal Data Protection (Enforcement) Regulations 2021, both of which have come into operation on 1 October 2021.
Broadly, minor clarifications were made to what type of data breach would be deemed to result in significant harm. Paragraph 6A of the Schedule of the Personal Data Protection (Notification of Data Breaches) Regulations 2021 was inserted to include inter alia the name or address of any woman or girl, or any picture showing the woman or girl, in respect of whom a specified offence under the Penal Code 1871 or the Women’s Charter 1961 is alleged to have been committed, as one such prescribed type of data breach which would warrant mandatory data breach reporting.
Separately, Regulation 1A of the Personal Data Protection (Enforcement) Regulations 2021 prescribing the manners in which organisations may provide the business contact information of their DPOs was inserted to include:
- where the organisation is registered under the Business Names Registration Act 2014, the Companies Act 1967, the Limited Liability Partnerships Act 2005, or the Limited Partnerships Act 2008, in a record made available on the Internet website of the Accounting and Corporate Regulatory Authority; or
- in a readily accessible part of the organisation’s official website.
Regulations 15A and 15B were also inserted to include the prior consent of an individual to whom the personal data disclosed or used relates as a defence to offences of egregious mishandling of personal data.
While section 26D(2) of the PDPA requires organisations to notify affected individuals as soon as possible, at the same time or after notifying the PDPC, the PDPC has in the Guide on Managing and Notifying Data Breaches Under the PDPA ('Data Breach Guide') strongly encouraged that for data breaches which are likely to attract widespread public attention and/or interest, or those which organisations require guidance on notifying the affected individuals, organisations are strongly encouraged to notify and seek advice from the PDPC first before notifying the affected individual. The notification to the PDPC must include information such as the:
- the date on which and the circumstances in which the organisation first became aware that the data breach had occurred;
- a chronological account of the steps taken by the organisation after the organisation became aware that the data breach had occurred;
- information on how the notifiable data breach occurred;
- the number of affected individuals affected by the notifiable data breach;
- the personal data or classes of personal data affected by the notifiable data breach;
- the potential harm to the affected individuals as a result of the notifiable data breach;
- information on any action by the organisation, whether taken before or to be taken after the organisation notifies the PDPC of the occurrence of the notifiable data breach to eliminate or mitigate any potential harm to any affected individual as a result of the notifiable data breach and to address or remedy any failure or shortcoming that the organisation believes to have caused, or enabled or facilitated the occurrence of, the notifiable data breach;
- information on the organisation’s plan (if any) to inform, on or after notifying the PDPC of the occurrence of the notifiable data breach, all or any affected individuals or the public that the notifiable data breach has occurred and how an affected individual may eliminate or mitigate any potential harm as a result of the notifiable data breach; and
- the business contact information of at least one authorised representative of the organisation.
The notification to the affected individuals must include the following information, where available:
- the circumstances in which the organisation first became aware that the notifiable data breach had occurred;
- the personal data or classes of personal data relating to the affected individual affected by the notifiable data breach;
- the potential harm to the affected individual as a result of the notifiable data breach;
- information on any action by the organisation, whether taken before or to be taken after the organisation notifies the affected individual to eliminate or mitigate any potential harm to the affected individual as a result of the notifiable data breach and to address or remedy any failure or shortcoming that the organisation believes to have caused, or enabled or facilitated the occurrence of, the notifiable data breach;
- the steps that the affected individual may take to eliminate or mitigate any potential harm as a result of the notifiable data breach, including preventing the misuse of the affected individual’s personal data affected by the notifiable data breach; and
- the business contact information of at least one authorised representative of the organisation.
Furthermore, section 48J(6) of the PDPA states that the PDPC must, in calculating any financial penalty to be imposed on the organisation in respect of a breach, consider amongst others, whether the organisation or person (as the case may be) took any action to mitigate the effects and consequences of the non-compliance, and the timeliness and effectiveness of that action.
9. Data Subject Rights
Under the PDPA, data subjects have a variety of rights in respect of their personal data, including the right to request access to their personal data which is in the possession or under the control of an organisation, as well as to the correction of such data. These rights are outlined in detail in section 5 above.
The PDPA applies to a limited extent in respect of the personal data of deceased individuals. In respect of personal data about a deceased individual who has been dead for more than ten years, the PDPA does not apply. In respect of personal data about a deceased individual who has been dead for ten years or less, only the provisions relating to the disclosure and protection of personal data will apply.
As regards minors, the PDPA does not specify the situations in which a minor (that is, an individual who is less than 21 years of age) may give consent for the purposes of the PDPA. In general, whether a minor can give such consent would, therefore, depend on other legislation and the common law.
The PDPC has however expressed the view that it will adopt the practical rule of thumb that a minor who is at least 13 years of age would typically have sufficient understanding to be able to consent on their own behalf.
The PDPC has also stated that in situations where a minor does not have the requisite legal capacity to give consent for the purposes of the PDPA, the minor's parents or other legal guardians may give consent on behalf of the minor. Section 14(4) of the PDPA provides in this regard that consent given or deemed to have been given by an individual for the collection, use or disclosure of the individual's personal data includes consent given or deemed to have been given by any person validly acting on behalf of that individual for the collection, use or disclosure of such personal data.
The PDPA Amendment Bill will also introduce a new data portability obligation, which requires organisations to transmit, at the request of an individual, personal data of the individual that is in the organisation's possession or under its control to another organisation in a commonly used machine-readable format. The application of this obligation will be subject to certain exceptions and conditions. For example, opinion data kept solely for an evaluative purpose will be excluded from the scope of data applicable to this obligation.
Contravention of the various requirements imposed by the Medicines Regulations may, under Regulation 28, amount to an offence punishable upon conviction by a fine not exceeding SGD 5,000 (approx. €3,350) or to imprisonment for a term not exceeding two years or to both.
Contravention of the various requirements imposed by the HPR may, under Regulation 29, amount to an offence punishable upon conviction by a fine not exceeding SGD 10,000 (approx. €6,690) or to imprisonment for a term not exceeding six months or to both. In the case of more serious contraventions, these may amount to an offence punishable upon conviction by a fine not exceeding SGD 20,000 (approx. €13,380) or to imprisonment for a term not exceeding 12 months or to both.
Under Regulation 60 of the PHMCR, contravention of any of its provisions, or failure to comply with any direction issued thereunder is an offence punishable upon conviction to a fine not exceeding SGD 2,000 (approx. €1,340) or to imprisonment for a term not exceeding 12 months or to both. As mentioned above, Section 58 of the HCSA provides that the PHMCA (and all its relevant subsidiary legislation) will be repealed. While the HCSA has yet to come into operation at the time of writing, it should be noted that the HCSR has come into operation on 3 January 2022. The HCSR has prescribed under Regulation 50 that any person who contravenes Regulation 8(2), 24, 25, 26(3)(b), (c) or (d), 27, 28, 29, 30(1), (2) or (3), 31, 32, 33(1), 35, 36, 38, 39(1), 41, 43(1) or (3), 44(1), 45 or 47(1) shall be guilty of an offence. Individuals guilty shall be liable on conviction to a fine not exceeding SGD 20,000 (approx. €13,380) or to imprisonment for a term not exceeding 12 months or to both and, in the case of a continuing offence, to a further fine not exceeding $1,000 (approx. €670) for every day or part of a day during which the offence continues after conviction.
Moreover, under the PDPA, if the PDPC is satisfied that an organisation has contravened the Data Protection Obligations, it may give directions to the organisation to ensure compliance, including the direction to pay a financial penalty of up to SGD 1 million (approx. €669,370). Under the PDPA Amendment Bill in the case of an organisation whose annual turnover in Singapore exceeds SGD 10 million, the organisation may be subject to a penalty of 10% of its annual turnover in Singapore.
In addition, individuals who suffer loss or damage directly as a result of a contravention of Parts IV, V, or VI of the PDPA by an organisation may also commence civil proceedings against the organisation in breach pursuant to a right of action provided for under Section 48O of the PDPA.
11. Other Areas of Interest
Medical devices are governed by the Health Products Regulations, enacted under the HPA and administered by the HSA.
A 'medical device' is defined in full in the First Schedule of the HSA. In general, this refers to a product which is intended to be used to achieve a medical function (including a diagnostic, preventive or therapeutic function), but which does not achieve its primary intended function through pharmacological, immunological or metabolic action. As such, products which are not intended for use in preventing, diagnosing, curing or alleviating diseases, ailments, defects or injuries are not medical devices. Some examples of products that are not medical devices include, among other things, body toning equipment, magnetic accessories, and massagers.
Medical devices are classified into 4 different risk classes and subjected to different degrees of regulation, depending on their characteristics. These characteristics include their intended duration of use, degree of invasiveness, whether they are implantable, active, or contain drug or biologic components.
In the context of pharmacovigilance, the HSA has issued guidance on the reporting of adverse events at a general industry level, in particular, the GN-05 Guidance.
Where there is doubt as to whether an adverse event is reportable, the HSA generally recommends that a report be made. A reportable adverse event is one which meets the following three basic criteria:
- an adverse event (or potential adverse event) has occurred;
- the device product is associated with the adverse event; and
- the adverse event led to one of the following outcomes:
- a serious threat to public health;
- a serious deterioration in the state of health of the patient, user or another person;
- no death or serious injury occurred but the event might lead to the death or serious injury of a patient, user or another person if the event recurs; or
- the death of a patient, user or another person.
The HSA has also prescribed guidelines as to the timelines for dealers of medical devices to report adverse events. These timelines depend on the severity of the adverse event, as determined by the basic criteria set out above.
Telemedicine (or 'telehealth') products include any equipment (e.g. instruments, apparatus, machines or software, including mobile phone applications) that are involved in the provision of healthcare services over physically separate environments via info-communication technologies (including mobile technology).
As there may be an overlap between the definitions of 'telehealth product' and 'medical device,' the HSA has clarified that generally, a telehealth product intended for medical purposes such as the investigation, detection, diagnosis, monitoring, treatment, or management of any medical condition, disease, anatomy, or physiological process will be classified as a medical device and will, therefore, be subject to regulatory controls by HSA.
Telehealth products have been categorised by the HSA into four broad domains:
- tele-collaboration – or the interactions between healthcare professionals for clinical purposes such as referral, co-diagnosis, supervision or case review;
- tele-treatment – or the provision of direct clinical care such as examination, diagnosis and treatment from a remote location via info-communication technologies;
- tele-monitoring – or the collection of biomedical or other forms of data through remote systems, which are used by healthcare professions for clinical purposes such as vital signs monitoring and home nursing; and
- tele-support – or the use of online services for non-clinical (such as educational or administrative) purposes to support the patient, caregiver or user.
The regulatory principles applied to telehealth products will be in broad alignment with those of medical devices. In regulating such products, the HSA intends to employ a rule-based approach towards classification, with the level of scrutiny and regulatory requirements varying commensurately with the relevant risk class. In terms of evaluation, the HSA intends to employ a confidence-based approach by leveraging upon approvals granted by regulatory agencies which HSA has reference to, and/or the prior marketing history of the product so as to provide for varying evaluation routes.
Healthcare Services Act
In light of evolving healthcare developments such as an increasingly aging population, an uptick in the number of chronic diseases, and the development of telemedicine and mobile medical services, the MOH had proposed and sought public consultation on HSCA (the HCSA’s implementation progress may be tracked here). This is intended to replace the PHMCA under which premises-based healthcare providers are currently licensed and regulated.
The introduction of a mandatory contribution of patient medical data to the National Electronic Health Record ('NEHR') was tabled at the First Reading of the Draft HCS Bill on 4 November 2019, but was however removed from the Bill’s Second Reading and consequently not passed by Parliament on 6 January 2020, on which the HCSA was eventually passed. It had sought to have a variety of implications on data protection requirements, including:
- prescribed licensees will be required to contribute core patient data containing critical patient health information to the NEHR in order to facilitate coordination between healthcare providers and promote continuity of care and patient safety. Such data would include, among other things, the patient's profile, diagnosis, procedures or treatments and medications. This was proposed to be implemented on a step-by-step basis starting in December 2019;
- the PDPA's restrictions on the access, use, and contribution of such data will not apply to the NEHR;
- the HCSA also proposes that a patient's data may be retained on the NEHR for a period of ten years after their death.
- a number of safeguards are proposed to ensure the confidentiality of patients' NEHR records. For instance, these records are to be accessed solely for the purposes of patient care and for no other purposes such as employment or insurance assessments. Other proposed measures include providing patients with access logs, conducting regular audits on NEHR access and imposing penalties for unauthorised access;
- under the HCSA, patients may choose to opt-out of the NEHR, but will be notified that doing so may not be in their best interests during emergencies when necessary records may not be available; and
- the effect of opting out will be that while the patient's data will still be uploaded to the NEHR, healthcare providers will not be able to access it, except in emergency situations. Where patients do not wish to have their data uploaded to the NEHR at all, such requests will be considered on a case-by-case basis.
The mandatory contribution to the NEHR has since been deferred by the MOH until further testing and reviews to the system, including exercises to test its defences against targeted attacks, business continuity and disaster recovery plans, have been completed.
The HCSA also proposes enhancing the MOH's existing powers currently available under the PHMCA, so as to enable MOH to obtain data from healthcare providers in the interest of patient safety, care and welfare, and public health. This is now found under Section 36 of the HCSA (which at the time of writing, has yet come into operation) which gives the power to obtain from any licensee any matter which the Director of Medical Services considers necessary to carry out his functions or duties under the Act. Further, MOH will also be authorised to publish information about non-compliant licensees and unlicensed providers to improve public awareness and enable patients to make better informed decisions.
The MOH has issued guidelines on clinical genetic/genomic testing and clinical laboratory genetic/genomic testing services, which all licensees under the PHMCA will need to comply with. These guidelines are set out in the Code of Practice on the Standards for the Provision of Clinical Genetic/Genomic testing services and Clinical Laboratory Genetic/Genomic Testing Services ('Genetic Testing Code'), which was issued by MOH on 28 June 2018. The MOH has provided for a 'sunrise period' in respect of these guidelines up till 31 December 2020, after which all licensees of the PHMCA providing clinical genetic/genomic testing services ('CGT') and clinical laboratory testing services ('LGT') will have to comply with the Genetic Testing Code. In the interim, the Genetic Testing Code will operate as a code of practice for all such licensees and is not enforceable.
Briefly, the Genetic Testing Code is intended to set out minimum standards required for the provision of CGT and LGT services to ensure safe and good quality care for patients. Under the Genetic Testing Code, CGT services refers to the offering and/or ordering of genetic tests, and the provision of counselling (amongst other requirements) in accordance with the Genetic Testing Code, while LGT services refer to the provision of clinical laboratory genetic tests by a clinical laboratory with the purpose of identifying a human genetic condition.
The genetic tests under the Genetic Testing Code are tiered into three levels according to the impact of the tests on the patient and his family, including the follow-up management required, the risk of the inappropriate ordering of genetic tests, and the predisposition to wrong interpretation of test results.
The Genetic Testing Code will be translated into the Clinical Genetics and Genomics Services (CGGS) Regulations under the new HCSA for implementation. This will be introduced in Phase 3 which is estimated to be implemented in late 2023.
Core Blood Banking Service
Core Blood Banking Service is a HCSA Phase 1 Service where the Healthcare Services (Core Blood Banking Service) Regulations 2021 ('the Core Blood Banking Regulations) came into effect on 3 January 2022. Any person or business conducting activities on the handling, processing, and storage of core blood obtained from an individual and intended for clinical use or transplant in the same or another individual is required to hold a core blood banking service licence under the HCSA. An exception applies to hospitals which partner with core blood banks for the collection of core blood during delivery of the infant donor where these hospitals do not require a licence.
Prior express written consent from the mother of the infant donor must be obtained for the donation of core blood of the infant donor and the collection and storage of any core blood of the infant donor before she is in active labour, as stipulated in Regulation 9 of the Core Blood Banking Regulations. Before obtaining the mother’s consent, a licensee must also provide adequate and appropriate counselling to the mother.
Additionally, a licensee must implement a system for evaluating the medical fitness and suitability of every infant donor and mother of an infant donor (including potential infant donors and their mothers), as specified by Regulation 10 of the Core Blood Banking Regulations.
Clinical Laboratory Service and Radiological Service
For clinical laboratories, the First Schedule of the HCSA defines the services which requires a clinical laboratory service licence to include the examination or testing of any matter derived from the body of any individual for the purpose of inter alia, assessing the health, condition or genetic predisposition of the individual or any other individual.
While the Healthcare Services (Clinical Laboratory Service and Radiological Service) Regulations 2021 ('the Laboratory and Radiological Service Regulations'), which came into effect on 3 January 2022, do not stipulate the form in which clinical laboratory reports or records are transmitted and stored, Regulation 42 of the Laboratory and Radiological Service Regulations requires clinical laboratory service licensees to keep records of inter alia, identifying information of the patient (to enable the specimen to be traced to the patient) and relevant personnel such as the name of the person who conducted the test).
For radiological services, the First Schedule of the HCSA defines the services which require a radiological service licence to include the use of ionising or non-ionising radiation for inter alia examination of the body, or any matter derived from the body of an individual.
Regulation 44 of the Laboratory and Radiological Service Regulations also requires a radiological service licensee to keep records in relation to each radiological examination that the licensee conducts of inter alia, the date, time and type of radiological examination and the name of the person who conducted the examination. The licensee must additionally maintain proper, complete and accurate records of the qualifications and competencies of each personnel, the quality management activities and measures taken by the licensee (i.e. a quality record) and every programme, policy, system, measure, protocol or process required to implement under the Regulations, as stipulated in Regulation 45 of the Laboratory and Radiological Service Regulations.
Nuclear Medicine Assay Service and Nuclear Medicine Imaging Service
The Healthcare Services (Nuclear Medicine Assay Service) and Healthcare Services (Nuclear Medicine Imaging Service) Regulations 2021 ('the Nuclear Medicine and Imaging Regulations') came into effect on 3 January 2022. The Nuclear Medicine and Imaging Regulations build upon the Standards for the Provision of Nuclear Medicine, Imaging, Therapy and Assay Services ('the NM Standards') previously issued on 28 May 2019.
The Nuclear Medicine imaging service and Nuclear Medicine assay service are special licensable healthcare services that can only be provided by licensed radiological service providers and clinical laboratories respectively - such licensees are hence required to apply in Phase 1 when the underlying radiological and clinical laboratory services come under HCSA.
Generally, the Nuclear Medicine and Imaging Regulations are intended to update existing requirements to better ensure patient safety and welfare where minimum standards and inter alia, adequate personnel, facilities, equipment, product, policy and procedures, and Quality Management Systems are stipulated for licensed providers to have. More detailed requirements will be set out under future Licensing Terms and Conditions ('LTCs') to complement the Regulations - the Nuclear Medicine and Imaging Regulations and LTCs will hence supersede the NM Standards when they come into force.
Blood Banking Service
Under the HCSA, any person or business conducting any one, any combination or all of the five activities comprising collection, testing, processing, storage and distribution, in relation to blood and/or blood components for the purpose of therapeutic transfusion is required to hold a blood banking service licence.
The Healthcare Services (Blood Banking Service) Regulations 2021 ('the Blood Banking Regulations') came into effect on 3 January 2022. Three type of licensees are exempted from the need to hold a blood banking service licence:
- an HCSA clinical laboratory service licensee providing the transfusion medicine discipline and carrying out the collection, processing or distribution of blood or blood components;
- a private hospital licensee under the PHMCA providing acute hospital services carrying out the same, or blood banking activities for the purposes of autologous or directed transfusion; and
- a medical clinic licensee under the PHMCA carrying out the collection of blood or blood components on behalf of a blood banking licensee.
As per Regulation 22 of the Blood Banking Regulations, licensees may outsource pre-donation counselling and donor evaluation activities, and the collection of blood or blood components from donors to other businesses not licensed under the HCSA. However, licensees are expected to retain oversight of any outsourced services and remain ultimately responsible for ensuring compliance by the outsource provider with the Regulations.
Emergency Ambulance Service and Medical Transport Service
The Healthcare Services (Emergency Ambulance Service and Medical Transport Service) Regulations 2022 came into operation on 3 January 2022. To ensure the safety and welfare of patients seeking ambulance services, private ambulance services will be regulated as either Emergency Ambulance Service ('EAS') or Medical Transport Service ('MTS') and these operators will need to be licensed under the HCSA.
Currently, private ambulance operators assessed to have met MOH Standards for EAS and MTS (2017) ('the MOH EAS and MTS Standards') are accredited under the Voluntary Accreditation Scheme (VAS) – such accredited operators will have their Letter of Accreditation converted to a service license under HCSA if they were assessed to still be compliant with the MOH Standards for EAS and MTS at the point of porting over to HCSA. It should be noted that there are additional requirements under HCSA, including enhanced governance structures, requirements for proper medication supply and storage, conveyance requirements for Emergency and non-Emergency patients, and fee transparency.
Operators who are not on VAS will be required to apply under HALP from October 2021 onwards and pay the applicable licensing fees, as elaborated in further detail under 'Fees' below.
Only a licensee or a person acting on the authority of a HCSA licensee may advertise licensable healthcare services as per section 31(1) of the HCSA. Such persons are referred to as an 'authorised person' in the Healthcare Services (Advertisement) Regulations 2021, which came into operation on 3 January 2022.
All other persons who are non-HCSA licensees will be subjected to provisions under the Medicines (Advertisement and Sale) Act 1956 which prohibits certain advertisements relating to medical matters and regulates the sale of substances recommended as a medicine.
Separately, the Healthcare Services (Fees) Regulations 2021 ('the Fees Regulations') came into effect on 3 January 2022, and concerns the fees applicable for an applicant or a licensee for the grant or renewal of a licence. Generally, there are lower fees for charitable healthcare service provider applicants or licensees as per Regulation 7 of the Fees Regulations. The exact fees can be found in the First Schedule of the Regulations.
Benjamin Gaw Director
Drew & Napier LLC, Singapore