Healthcare data such as patient’s medical records, diagnosis, financial information, NRIC is considered highly sensitive. Privacy breaches can lead to significant harm to the patients (e.g., identity theft, discrimination) as well as severe penalties for the organisation.
Singapore’s Personal Data Protection Act (PDPA) is the main legislation governing the collection, use, and disclosure of personal data by organisations in main private sector. However, for healthcare service providers such as clinics, they must also comply with the Healthcare Services Act (HCSA) and Ministry of Health (MOH) guidelines, which contains additional requirements for patient confidentiality and records.
In the following section, we will highlight the key PDPA obligations focusing on patient data in relations to a clinic’s operations:
Consent and Notification Obligation (Collection)
The clinic must generally obtain valid consent before collecting, using, or disclosing a patient’s personal data. The patient must also be notified of the purpose for the collection of their data, how they will be used, and disclosed at the time of collection.
Purpose Limitation Obligation (Use)
Personal data can only be used for the purposes for which consent was obtained, or for purposes that a reasonable person would consider appropriate in the circumstances. For example, data collected for treatment and billing cannot be used for research or marketing without informing the patient and obtaining separate consent.
Disclosure Obligation
Patient data should not be disclosed without the patient’s consent, except under certain legal exceptions such as the disclosure to other healthcare providers for the patient’s medical treatment is generally permitted (often under deemed consent and supported by the need for continuity of care, especially via the National Electronic Health Record (NEHR) system).
Protection Obligation (Security)
Clinics must make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, or disposal of patient data. Secure storage and access controls are required for both hardcopies & digital files (secure access via multi-factor authentication & data backup, etc).
If your role involves handling or overseeing operations that include patient data, it is important for you to understand the core principles of the PDPA and learn how to implement data protection measures in a compliant way for your organisation. Join our 1-day workshop on Understanding the Personal Data Protection Act (PDPA) and be equipped to perform your role confidently.
In the following section, we will showcase and discuss some common scenarios in the healthcare sector.
Scenario 1
A patient’s wife calls asking for details about her husband’s recent diagnosis.
Violation of the Disclosure Obligation. Patient’s medical data is highly sensitive and should not be disclosed to the patient’s spouse, unless the patient has explicitly authorised it.
Politely inform the caller that due to the clinic’s data protection policy, the staff member cannot disclose any medical information without the patient’s written consent or explicit authorisation recorded in the patient’s file. Ask the patient to
call the clinic to provide authorisation.
Scenario 2
A staff member leaves an un-anonymised patient list containing NRICs and diagnoses on the reception desk, visible to other patients.
Violation of the Protection Obligation (inadequate security arrangements).
The clinic staff must be trained to keep all patient data—digital and physical—secured and out of public view. Implement a clear desk policy where all hardcopy forms and printouts must be secured immediately after use.
Scenario 3
A clinic wants to send an email blast to all its former patients about a new aesthetic treatment package.
Violation of the Consent and Purpose Limitation Obligations. The data collected for medical care cannot be used for marketing without separate, explicit consent.
Use only data from patients who have expressly opted in to receive marketing materials. The marketing email must include a clear and functional opt-out (unsubscribe) mechanism.
We hope these scenarios have given you some basic understanding about the dos and don’ts of maintaining personal data privacy for your patients. To gain a fuller understanding, join our 1-day training workshop that is designed to equip you with the knowledge to develop a Data Protection Management Program (DPMP), as well as the practical knowledge on how to handle data breaches.
The consultants at ARK Leadership & Learning have over 20 years of experience in the field of human resources and performance management, and we can help you become more confident and effective when ensuring PDPA compliance. Get in touch with us now to find out more.
We have the expertise to help you learn how to implement PDPA compliant processes for your organisation – our consultants have over 20 years of experience in the field of human resource and performance management to assist our clients in building a robust team for the future. Contact us at +65 6604 6330 or Email us at llearning@arkgroup.com.sg for a discussion on your business’s needs.
A fully-owned subsidiary of Medinex Limited
111, North Bridge Road #23-04 Peninsula Plaza, Singapore 179098
WhatsApp: +65 8023 3505
Fax: +65 6604 6334
Email: llearning@arkgroup.com.sg
Terms of Use | Privacy Policy
© 2025 ARK Leadership and Learning
