Data Privacy and Data Management as applied to Medical Research, and Pharmacovigilance – Thailand
By
John Formichella & Naytiwut Jamallsawat
25 September 2022
This article discusses data privacy, consent, record keeping, disclosure, and patient rights in medical research.
The critical legislation on health and pharmaceuticals that relates to general privacy and data protection law in Thailand, including the Personal Data Protection Act 2019 (‘PDPA’), are as follows:
– National Health Act B.E. 2550 (2007);
– National Health Security Act B.E. 2545 (2002);
– The Medical Profession Act B.E. 2525 (1982);
– Sanatoriums Act B.E. 2541 (1998); and
– The Medical Council Regulations on Medical Ethics Preservation B.E. 2549 (2006).
The above statutes are referred to herein as the “Relevant Legislation.” The PDPA sets the minimum standard for personal data privacy. The Relevant Legislation may require enhanced or greater responsibilities on data controllers or data processors.
The Ministry of Public Health and the Ministry of Digital Economy and Society (formerly known as the Ministry of Information and Communication Technology) is the responsible supervisory authorities concerning data privacy in the health and pharmaceutical industry.
The Relevant Legislation does not provide specific definitions of data privacy. The PDPA, however, does offer purposes to personal data and privacy, listed below:
Personal Data: Any data of a living person that could be used to, directly or indirectly, identify that person (e.g., an identification number, email address, bank account number, etc.).
Data Controller: A natural or legal person with power and duties to decide the collection, use, or disclosure of Personal Data.
Data Processor: A natural or legal person who processes Personal Data under the instruction or on behalf of the Data Controller.
Sensitive Data: Under the PDPA, Sensitive Data can refer to race, ethnic origin, political view, doctrinal, religious or philosophical beliefs, sexual behavior, criminal record, health record, and biometric information.
Clinical research and trials (i.e., research studies and experiments on humans) are subject to medical ethics standards under:
– the Medical Council Regulations; and
– the Declaration of Patient’s Rights was published by the Ministry of Public Health and other relevant health authorities (e.g., Nursing and Midwifery Council, Medical Technology Council, etc.) (‘the Patient Declaration).
2.1. Data collection and retention
Referring to the Patient Declaration, each participant has a lawful right to request information regarding their role in medical research before participating in or withdrawing from such study. In addition, researchers must disclose the purpose of collecting and processing Personal Data required for medical research to participants, and their express consent is required.
Such data must be confidential per medical ethics standards under the Medical Council Regulations and Patient Declaration concerning data retention.
In addition, under the PDPA, any natural or legal person, including a medical practitioner who acts to collect and make decisions on the processing of data subject Personal Data (i.e., purposely for medical or clinical research), is considered a “Data Controller.” A Data Controller, in this regard, must inform such data subjects of the purposes of collecting their Personal Data and provide them with information relating to the processing of their Personal Data (e.g., the retention period, rights of a data subject, contact information, possible consequences of not providing their Personal Data, recipients the Personal Data will be disclosed to, etc.) before or during data collection, and obtain the explicit consent of data subjects, either in writing or via electronic form, to collect their Personal Data. We will further discuss additional information on the consent requirement in section 2.1.1. below.
Consent from a data subject is required for any change to the purpose of Personal Data processing that differs from what a data subject initially consented to. In addition, a Data Controller must retain records of Personal Data processing activities for transparency.
Also, concerning retention restrictions, a Data Controller must provide security measures to prevent the loss, access, use, change, revision, or disclosure of Personal Data without authorization. Such security measures for processing operations shall be assessed when deemed necessary or there is a change in the technology of security measures.
Security standards are prescribed by the Personal Data Protection Committee (‘PDPC’).
Please refer to section 5 for further details on the retention of patients’ Personal Data.
2.1.1. Consent
Under the Medical Council Regulations and Patient Declaration, researchers must obtain the consent of participants. However, neither of the aforementioned specifies the process to obtain such permission. Nevertheless, researchers must provide all information related to the research, such as the risks and benefits of participating in the study, the right to confidentiality, and researcher obligations toward participants.
Concerning the consent of minors (i.e., those under the age of 18) and incompetent persons, their parents or legal guardians shall have the lawful right to exercise their rights, including providing consent to participate in the research and requesting relevant information.
As a researcher is considered a Data Controller under the PDPA, obtaining consent from participants will also be subject to the PDPA.
Under the PDPA, a Data Controller must obtain the explicit consent of participants, either in writing or via electronic form, to collect their Personal Data. In addition, to collect participants’ Personal Data, a Data Controller must provide each participant with information relating to the processing of their Personal Data, including:
– details of the Personal Data to be collected;
– purposes of collection, including the legal basis for the collection;
– data owner rights (e.g., the right to access, right to erasure, right to object, right of withdrawal, etc.);
– data retention period;
– recipients or their categories, either as an individual or organization, to which the Personal Data will be disclosed; and
– contact details of the employer (as a Data Controller) and the data protection authority.
The requirement to obtain consent may only be set aside if at least one of the following grounds applies, such as when:
– pursuing a legitimate interest by the Data Controller and other third parties;
– archiving historical research or for statistical purposes;
– preventing or suppressing damage to the life, body, and health of an individual (i.e., vital interests);
– complying with obligations under a contract to which the data subject is a party or in response to a data subject’s request before entering a contract;
– complying with the legal obligations of the Data Controller; or
– performing a task in the public interest or exercising an official right vested in the Data Controller.
In addition, participants, including legal guardians, their legal guardian has lawful rights to withdraw their consent regarding the use of the subject’s Personal Data unless there is a restriction on the withdrawal of the consent specified by law or contract which is beneficial to the participants. If consent is withdrawn, the Data Controller must stop using, disclosing, and possessing such Personal Data.
2.1.2. Data obtained from third parties
Under the Medical Council Regulations and Patient Declaration, there are no specific requirements for obtaining data from third parties. The PDPA, however, explicitly prescribes restrictions on acquiring data from third parties.
Under the PDPA, a Data Controller cannot obtain data subjects’ Personal Data from third parties, except:
– to notify such collection from third parties to a data subject, and the notification must be made no later than 30 days from the date of collection and receiving consent from a data subject; and
– where the data collection does not require consent from a data subject, as mentioned in 2.1.1. above.
According to the Ministerial Regulation on Drug Registration B.E. 2555 (2012) (‘the Ministerial Regulation on Drug Registration’), an authorized drug manufacturer or drug importer (‘the Licensee’) must apply for and register drugs with the Food and Drug Administration (“FDA”) of the Ministry of Public Health for the distribution of a drug in Thailand. Furthermore, when such registration has been completed, the Licensee must provide an Adverse Drug Reaction (‘ADR’) report for causality assessment between drugs distributed to consumers and adverse health reactions.
The ADR report in this regard should include information relating to ADRs, such as:
– any adverse reactions resulting from the use of the drug;
– details of the drug; and
– general patient information, including unidentifiable information such as hospital reference number, gender, weight, nationality, drug allergy background, and congenital diseases, and specific identifying information such as the patient’s full name and identification number.
However, there is no strict requirement that such identifiable information is provided to the FDA.
Nonetheless, an ADR must specify such information upon the consent of each patient.
The FDA does not have specific rules for anonymizing data retention-related matters. However, as all information in the ADR report is considered official information, it shall be subject to standard requirements under the following:
– Official Information Act B.E. 2540 (1997); and
– The Regulation on State Secrets B.E. 2544 (2001) (only available in Thai here) (‘the Regulation on State Secrets’).
Under the Regulation on State Secrets, all information in the ADR report shall be perpetually kept confidential. Only an authorized person shall be allowed to access or use such information. Any transfer of information between or within government entities must be recorded and kept confidential. Any disclosure of a medical report or personal information that will unreasonably infringe upon the right to privacy shall be strictly prohibited.
4.1 Establishment and Conditions of Biobanking Activities
Currently, there are no specific rules on biobanking activities in Thailand. However, biobanking activities are generally carried out for research purposes; therefore, regulations under the Medical Council Regulations and Patient Declaration, including the PDPA mentioned in section 2. above, apply. Accordingly, to perform biobanking activities, a human subject must be informed of all information related to such activities, such as the risks and benefits of participating, the right to the confidentiality of participants, and their consent, which is considered a principal requirement for researchers or medical practitioners.
4.2 Collection of Samples and Information Attached to Them
According to the Medical Council Regulations and Patient Declaration, the consent of human subjects is required before collecting their biological matter (i.e., bodily fluid or tissue samples) and their information.
4.3 Processing and Storage of the Samples
Currently, Thailand has no specific requirements for the processing and storing samples obtained from biobanking activities.
4.4 Registers Established for Biobanks
Any establishment where biobanking activities occur may be considered a sanatorium and shall therefore be subject to requirements and specific licenses under the Sanatoriums Act.
4.5 Rights of Registered Individuals and Protecting their Information
Under the Medical Council Regulations and Patient Declaration, the right of human subjects to the confidentiality of their Personal Data is recognized. Therefore, researchers and medical practitioners are strictly obligated to keep the Personal Data of human subjects confidential. The disclosure of such data is only allowed upon their consent.
The Relevant Legislation imposes an obligation on sanatoriums, such as hospitals and clinics, and medical practitioners, such as doctors, nurses, and pharmacists (i.e., medical practitioners), to collect and retain patient personal information, including name, age, identification card number, and medical records, etc., for medical treatment purposes. All patient personal data must be confidential per medical ethics for at least five years from the record date. Furthermore, medical practitioners may only disclose a patient’s personal information with a patient’s express consent or by medical practitioners who have a legal obligation to do so for the benefit of patients.
The Relevant Legislation does not specify that patient consent is required for data collection and processing. Instead, a general requirement for data subject consent under the PDPA, including any applicable exemption, may apply, further discussed in section 2.1.1. above.
No cases relating to the above issues have been filed in the courts. However, medical practitioners’ unauthorized collection, use, or disclosure of patient Personal Data violates medical ethics. Therefore, the medical practitioners involved in such incidents would be subject to disciplinary action and liabilities, which are not published to the public.
5.1 General Obligations on the Data Controller
Data controllers have legal obligations under the PDPA for the collection, use, or disclosure of Personal Data. In addition, Data Controllers must guarantee the fundamental rights of data subjects, including the rights to erasure and data portability.
5.2 Permitted Uses of Data
Data controllers that collect or process Personal Data must obtain data subject consent either in writing or electronic form unless otherwise permitted by law (as mentioned in section 2.1.1. above).
5.4 Obligations in Respect of Disclosure of Records to Other Medical Professionals (e.g., Individuals’ GP) or Family Members/Representatives
The disclosure of records to other medical professionals, family members/representatives is prohibited unless:
– consent is obtained from the data subject; or
– there is a reason to prevent or suppress danger to a data subject’s life, body, or health.
5.5 Data Security Requirements
In the future, the PDPC will release additional regulation(s) providing a list of security measures for Personal Data protection under the PDPA.
5.6 Anonymization/Pseudonymization
The Relevant Legislation and the PDPA do not provide specific definitions for anonymization and pseudonymization. Under the PDPA, however, a data subject has the right to request that the Data Controller erase or destroy Personal Data or anonymize Personal Data so the data subject cannot be identified.
5.7 Record Keeping
As mentioned in section 2.1 above, the Data Controller must be retained in an examinable condition for at least five years from the record date.
5.8 DPO Requirements
There are no specific requirements for a data protection officer (‘DPO’) under the Relevant Legislation. However, medical practitioners as Data Controllers must appoint a DPO if:
– the activities of a Data Controller relating to the collection, use, or disclosure require regular and systematic monitoring of data subjects on a large scale; or
– the core activities of a Data Controller related to the collection, use, or disclosure of Sensitive Data (e.g., religious beliefs, ethnic origin, health record, etc., as mentioned herein).
In this regard, the DPO must have expertise in Personal Data protection and can be a staff member of a Data Controller, Data Processor, or contractor under a service contract.
Under the Relevant Legislation, there are no specific requirements for outsourcing.
However, outsourcing other persons or juristic persons to collect, use, or disclose data subjects’ Personal Data on behalf of or as ordered by the Data Controller (which includes medical practitioners) shall be subject to the PDPA. In this regard, an outsourcing agreement between the Data Controller and outsourced person (i.e., the Data Processor) is required to set out obligations in processing Personal Data as prescribed under the PDPA. In addition, Data Controllers based outside Thailand involved in certain forms of data processing are obliged to designate in writing a representative based inside Thailand.
The Data Processor must strictly follow the instructions of the Data Controller when collecting, using, and disclosing Personal Data and provide appropriate security measures to prevent unauthorized or unlawful processing. In addition, the Data Processor must inform the Data Controller of any violation of Personal Data.
Under the Relevant Legislation, there are no specific requirements for transferring sensitive Personal Data.
However, the transfer of patient Personal Data, including Sensitive Data, is subject to general requirements under the PDPA. For example, information relating to a data transfer and recipient(s) who will receive their personal information must be provided to patients for their consent unless otherwise permitted by law.
Suppose patient Personal Data is transferred to a third country or an international organization. In that case, such a transfer is only permitted for destination countries or international organizations that provide an adequate level of protection, as prescribed by the PDPC, unless any such transfer fulfills the following criteria:
– the transferor has obtained consent from data subjects who have been informed of the inadequate level of data protection;
– it is necessary to perform any obligation under a contract, or the transfer is at the request of a data owner;
– it is performed under a significant public interest;
– the transfer is under the law; or
– it is necessary to protect the vital interests of the data owner or any person when such a data owner cannot give their consent.
Under the Relevant Legislation, there is no specific obligation to report a Personal Data breach to a supervisory authority or data subject. There is, however, a general obligation under the PDPA, which does apply.
In the case of a Personal Data breach under the PDPA, the Data Controller must notify the PDPC of the breach, except where the Personal Data breach is unlikely to risk individuals’ rights and freedoms. In addition, a Personal Data breach must be notified to the PDPC without delay and, where feasible, no later than 72 hours after becoming aware of the breach. The requirements of this notification, including its exceptions, will be further published in supplemental regulation(s) of the PDPC.
Under the PDPA, if a Personal Data breach is likely to result in a high risk to data subject rights and freedoms, the Data Controller must notify the breach data subjects and the PDPC.
The Relevant Legislation and Patient Declaration specify that the personal information of patients, including minors, provided to the medical practitioner must be confidential. Such personal information shall only be disclosed upon patients’ consent or to comply with a medical practitioner’s legal obligations, beneficial to patients.
In addition, each patient has a lawful right to request information regarding their medical treatment as it appears in the medical record. Such information must be ordered per the hospital’s procedures and should not infringe on other person’s personal information and rights. The rights of minors shall be exercised by their parents or legal guardian as mentioned in section 2.1.1. above.
Concerning the PDPA, the following rights are provided to each data subject:
– right to erasure: a data subject has the right to request for their personal information to be deleted unless exceptions apply;
– right to be informed: a data subject has the right to be informed of specific information relating to the collection and processing of Personal Data;
– right to object: a data subject may object to processing their Personal Data and withdraw their consent to the processing at any time;
– right to access: a data subject has the right to access their Personal Data that has been collected and processed by a Data Controller; and
– right to data portability: Data subjects have the right to receive their Personal Data in a structured, commonly used, and machine-readable format and transmit such data to third parties.
The right of a deceased person is not recognized under the Relevant Legislation, the PDPA, or the Patient Declaration.
In addition, as mentioned in section 2.1.1., to collect patient Personal Data, a Data Controller must provide:
However, there are cases where a Data Controller must disclose information about processing their Personal Data without obtaining patient consent, such as where the collection is to prevent or suppress damage to patient life, body, and health.
Under the Relevant Legislation, if medical practitioners breach their medical ethics in retaining patient Personal Data, they shall be subject to criminal or monetary penalties or disciplinary action, such as having their practitioner license suspended or revoked. As another example, a sanatorium licensee who discloses patient personal information without being duly authorized shall be imprisoned for up to one year or fined up to THB 20,000 (approx. €550).
As for penalties under the PDPA, if there is non-compliance, imprisonment of one year or a fine up to THB 1 million (approx. €27,500) shall be imposed. Furthermore, the PDPA also provides authority for a competent court to increase the amount of compensation by up to double the actual damages at the court’s discretion as punitive damages. In addition, the authority may issue an administrative fine of up to THB 5 million (approx. US$135,500) (which is subject to the severity of the circumstances) for non-compliance.
The information herein is general and should not be used as legal advice.
For further inquiries, please contact John Formichella or Naytiwut Jamallsawat at info@fosrlaw.com
