Week 14: Legal and Regulatory
Issues in eHealth
Driving Question:
Is the Data Privacy Act adequate
to protect confidential health information?
The healthcare system is slowly
shifting its data warehousing practice to electronic. Most countries, from the first
world to third word status are finding means of keeping their patient records/
information safer through the use of IT solutions. The advancement of
technology (fast development of gadgets and World Wide Web) provides the avenue
to these ideas. The ultimate goal is to lighten the workload and make
everyone’s life easier.
On the other hand, every PRO’s
will have its CON’s. Amidst the wonderful things the new technology has to
offer, comes a handful of issues and concerns that may greatly affect its processes
and growth. Data loss and contamination, data hacking, unauthorized access and
wrongful data use are just some of the colossal problems that could damage not
only the companies but more importantly the data subjects. Every pathway, whether it is on healthcare,
freight, BPO, HMO, etc, the netizens and even the owners and processors of
these data consolidating companies seek a guiding light that may walk them
through these identified issues. In these cases, policies and standards play a
significant role.
In the Philippines, the demands
of keeping the quality and safety of every individual was answered by the two
acts which were signed back to back in a month’s time by the President. These
are the cybercrime law and the data privacy act of 2012. The cybercrime law
protects internet users from abuse and all the sorts while the data privacy act
protects subjects’ critical data (such as medical records, demographics, etc.).
Certain speculations and reactions were expressed by the citizens not only in the
Philippines but from overseas.
On the backend, it is to increase
BPO return of investment since our country is one of the leading venues for
these kinds of companies. On an article written by Alec Christie, he stated, “In
the Philippines it is hoped that the Act will allay concerns over the security
of personal information handled by employees of BPO companies based in the
Philippines, which in turn will attract more investors in the information
technology and BPO industry in the Philippines. The Philippines Business
Processing Association believes that the Act will facilitate the IT – BPO
industry expanding from call centers to areas that involve handling sensitive
personal data such as in the health care and human resources areas, with
projections of revenue in the industry increasing from USD 9 billion in 2011 to
USD 25 billion by 2016.” Others say that this is necessary for us to comply
with ASEAN harmonization. Well for me, if they are true, it will decrease the
unemployment rate and will support the growth of ICT dependent businesses which
are marking its trend to the local and global scene. But the main thing that
will surely have an impact is the data confidentiality and privacy. However, is
it adequate enough to protect us subjects from harm? Let us deduce the act further:
Let us first meet the actors:
(excluding the authorities involved)
Data subject- refers to an individual whose personal information is
processed.
Personal information controller- refers to a person or organization
that controls the collection, holding, processing or use of personal
information, including a person or organization who instructs another person or
organization to collect, hold, process, use, transfer or disclose personal
information on his or her behalf.
Personal information processor- refers to any natural or juridical
person qualified to act as such under this Act to whom a personal information
controller may outsource the processing of personal data pertaining to a data
subject.
Customer centered Act
Let me start with the definition
of Privacy and Confidentiality:
Privacy (from Latin: privatus) is
the ability of an individual or group to seclude themselves, or information
about themselves, and thereby express themselves selectively. The boundaries
and content of what is considered private differ among cultures and
individuals, but share common themes. When something is private to a person, it
usually means there is something to them inherently special or sensitive. The
domain of privacy partially overlaps security, including for instance the
concepts of appropriate use, as well as protection of information. (Source: http://en.wikipedia.org/wiki/Privacy)
Confidentiality on the other
hand, is a set of rules or a promise that limits access or places restrictions
on certain types of information. (Source: http://whatis.techtarget.com/definition/confidentiality)
These two main definitions give
us the overview that personal information should be protected and secured. The
use and sharing of these data should be treated with responsibility and should
be done in caution. Information disclosed to your trusted recipient or even a
third party are vested with trust, meaning that the submitter is confident
enough that the recipient person will not do anything to the information
(including divulgement or use) without his proper consent. In the data privacy act, these are fully
addressed in the “sensitive personal information” part. The data subjects have
full control on this type of information. Certain penalties are applicable to
violators such as the Controllers and Processors in case these are divulged
without the subject’s knowledge. The subjects have also the ability to change
or nullify damaged information which resulted from contamination or mistaken
entry. Additional penalties will incur for the part of the processor and
controller in the extent.
The highlight of the act revolves
around the data subjects. The focus is to empower the customers/patients by
giving them the key to entrust their personal information to their selected
processors. It is very much subject- centered. Notifications which are
connected to the subjects’ rights, are required be presented by the controllers
or processors. These are:
a. A description of the personal
information to be collected/entered into the system
b. The purposes of the processing
(ie uses of the information)
c. Scope and method of the
processing
d. Possible recipients or classes
of recipients to whom the personal information may be disclosed
e. Methods by which the personal
information may be accessed automatically
f. Identity and contact details
of the Controller, and
g. The Data Subject's rights to
access and correct their personal information, as well as his/her
right to make complaints to the
NPC.
The heavily burdened controller
Still on privacy and
confidentiality, the controller or processor should have a secured means of
protecting the patient information in the case of data transferring or
contracting another third party for another round of processing.
Another thing, the controllers
will be penalized for having a porous or weak database security in case of
unauthorized access (breaches and hacking). In accordance to the act, it is the
responsibility of the controller and a requirement of the vested authority to:
a. Safeguard to protect its
computer network against accidental, unlawful or unauthorized usage or
interference with or hindering of their functioning or availability;
b. Have a security policy with
respect to the processing of personal information;
c. Have a process for identifying
and accessing reasonably foreseeable vulnerabilities in its computer networks,
and for taking preventive, corrective and mitigating action against security
incidents that can lead to a security breach; and
d. Have a regular monitoring for
security breaches and a process for taking preventive, corrective and
mitigating action against security incidents that can lead to a security
breach.
Penalties for non-compliance
The Philippines imposed very high
penalties for the violation of the specified regulations in the act ranging
from Php 500,000 to Php 4,000,000 for individual breaches and may reach up to 5
million people in case of multiple breaches. So let say, a certain account was
breached and 200 personal files were compromised. That is an automatic maximum
penalty. What if 10 accounts were breached with the same number of compromised
data? Not to mention, the controller could be imprisoned up to 5 years. Though
for some multi-national companies, these are just pennies.
Therefore, all the burden of
keeping all the information intact and safe is given to the controller and
partly on the processor. These domains are not as easy as it looks. Given the
high revenue/ return of investment, it is just proper to give these companies
the full responsibility since we give them the full trust in keeping our
records safe.
Suggestions
For me, the act is somewhat adequate
enough to protect people’s personal health information. It just needs further
polishing. The act is data-subject centered, but what provision will protect
the controllers from data subjects with malicious intent or money driven? The
act should also provide companies a security blanket for these kinds of attack.
Also,(in the contrary) increase
the penalties to higher amounts for all to respect the Act. The 5 million
maximum penalties is not a problem for some rich companies. This will also
increase the probability of compliance.
Lastly, the Act should be well
explained to the general public. The provisions appear to be vague for some. Although
they are relatable, the cybercrime law and data privacy act differs in a sense
that they regulate two different aspects. According to Atty. Jose Jesus Disini
in an article Cybercrime, Data Privacy
Acts a double blow on netizens, “The Data Privacy Act is “more
encompassing” in how it regulates the flow of information. While the law was
meant to protect personal medical information being handled by business process
outsourcing companies, the law was worded so vaguely that it could apply to
almost anything online.” He cited an
example, “For example, if I said on Facebook that Noemi has a cold, so I identified
her, and I even retweeted it, I already processed sensitive personal
information,” he said. “Since there was no expressed consent (from the
subject), I violated the Data Protection and the Cybercrime Acts.”
Proper dissemination should
always be a top priority of the government whenever they release a certain law
or policy. Yes, ignorance of the law excuses no one. But ignorance starts when
you don’t understand the law and in the long run leaves you unaware.
References:
No comments:
Post a Comment