MEDPLANNER CLINICAL MESSAGING APP – PATIENT DATA PROTECTION POLICY
Last Updated: 16 September 2024
MedPlanner Sdn Bhd (“MedPlanner”, “we”, “us”, or “our”) is committed to ensuring the protection of patient data shared via the MedPlanner clinical messaging app (“App”). This policy outlines the responsibilities of healthcare professionals and MedPlanner in safeguarding patient data in compliance with the applicable laws and regulations in Malaysia, Indonesia, Singapore, and the United Kingdom.
By using the App, healthcare professionals (“Users”) agree to comply with this policy and applicable patient data protection laws.
1. Purpose
The purpose of this Patient Data Protection Policy is to ensure that patient data is handled with the utmost care, confidentiality, and security when shared through the App. This policy is aligned with the healthcare and privacy laws of Malaysia, Indonesia, Singapore, and the United Kingdom.
2. Legal Frameworks by Jurisdiction
MedPlanner operates in accordance with the following patient data protection regulations in each country:
• Malaysia: The Personal Data Protection Act 2010 (PDPA) and Private Healthcare Facilities and Services Act 1998.
• Indonesia: The Law on Electronic Information and Transactions (EIT Law) and Regulation No. 20/2016 on Personal Data Protection in Electronic Systems.
• Singapore: The Personal Data Protection Act 2012 (PDPA) and the Healthcare Services Act 2020.
• United Kingdom: The General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
3. Patient Data Definition
For the purposes of this policy, “Patient Data” refers to any personal health information relating to an identified or identifiable patient, including:
• Medical history, diagnoses, treatments, and test results.
• Personal information, including name, contact details, and date of birth.
• Data relating to the provision of healthcare services.
4. Collection of Patient Data
MedPlanner facilitates the secure exchange of patient data between healthcare professionals. Users are solely responsible for ensuring that:
• They have obtained informed consent from patients for the collection, use, and sharing of their personal data in accordance with local regulations.
• Patient data is only shared when necessary for the provision of healthcare services.
Informed consent should include:
• Purpose of data use.
• Parties involved in the data exchange.
• Duration of data retention.
5. Use of Patient Data
Users are required to use patient data shared through the App only for purposes directly related to the treatment, diagnosis, and care of the patient. Patient data may only be used in accordance with the laws of the country where the data was collected, including:
• Malaysia: Under the PDPA, patient data may only be used for the primary purpose for which it was collected, such as patient care and treatment.
• Indonesia: The EIT Law mandates that patient data can only be used with explicit consent and must comply with data privacy and confidentiality requirements.
• Singapore: The PDPA and Healthcare Services Act 2020 require healthcare providers to obtain patient consent before sharing or processing personal data.
• United Kingdom: Under the UK GDPR, patient data must be processed lawfully, fairly, and transparently, with clear communication to patients about how their data will be used.
6. Security Measures
MedPlanner has implemented robust security measures to protect patient data shared via the App. These measures include:
• End-to-end encryption for all communications within the App.
• Secure data storage using healthcare-grade security standards.
• Access controls: Only authorized users may access patient data shared on the App.
• Data anonymization: When feasible, patient data is anonymized to minimize the risk of unauthorized identification.
Despite these efforts, it is the responsibility of Users to ensure that they protect their login credentials and devices used to access the App.
7. Patient Rights
MedPlanner acknowledges and supports the rights of patients under the data protection laws of the respective countries, including:
Malaysia: Under the PDPA, patients have the right to:
• Access their personal data.
• Correct inaccuracies in their personal data.
• Withdraw consent for the use of their personal data.
Indonesia: Under the EIT Law, patients have the right to:
• Be informed about the collection and use of their personal data.
• Request the correction or deletion of their data.
• Limit the processing of their data.
Singapore: Under the PDPA, patients have the right to:
• Access and correct their personal data.
• Withdraw consent to the use of their personal data.
• Request the portability of their personal data.
United Kingdom: Under the UK GDPR, patients have the right to:
• Access and correct their personal data.
• Request the deletion of their personal data.
• Restrict the processing of their personal data.
• Request data portability.
To exercise these rights, patients may contact the healthcare provider or organization responsible for managing their data.
8. Data Retention
Patient data will only be retained as long as necessary for the provision of healthcare services or as required by the laws of the relevant jurisdiction. Retention periods vary depending on the country’s regulations:
• Malaysia: Under the Private Healthcare Facilities and Services Act 1998, patient records must be retained for a minimum of 7 years.
• Indonesia: Healthcare providers must retain patient records for at least 5 years under the Medical Practice Law.
• Singapore: The Healthcare Services Act 2020 requires healthcare institutions to retain patient data for at least 6 years.
• United Kingdom: The NHS Code of Practice recommends retaining adult patient records for 8 years, and longer for minors.
9. Cross-Border Data Transfers
Patient data may be transferred across borders where necessary for healthcare purposes. MedPlanner ensures that any cross-border transfers comply with local laws governing data exports:
• Malaysia: Cross-border data transfers are permitted under the PDPA if the recipient country provides adequate data protection standards.
• Indonesia: The EIT Law permits cross-border data transfers with the patient’s consent.
• Singapore: Cross-border data transfers are allowed under the PDPA, provided that the recipient ensures comparable protection standards.
• United Kingdom: The UK GDPR allows cross-border transfers to countries or organizations that provide an adequate level of data protection.
10. Data Breach Notification
In the event of a data breach involving patient data, MedPlanner will promptly notify the affected Users and comply with the applicable breach notification requirements in each jurisdiction:
• Malaysia: Under the PDPA, data breach notifications must be made to the relevant data subject and regulator where required.
• Indonesia: Under the EIT Law, data breach notifications must be made to the authorities and affected individuals.
• Singapore: The PDPA mandates that breaches involving personal data must be reported to the Personal Data Protection Commission (PDPC) within 72 hours.
• United Kingdom: Under the UK GDPR, data breaches must be reported to the Information Commissioner’s Office (ICO) within 72 hours and affected individuals must be notified if there is a high risk to their rights and freedoms.
11. Responsibilities of Healthcare Providers
Healthcare professionals and organizations using the App are responsible for ensuring compliance with the relevant patient data protection laws. This includes obtaining consent, protecting patient confidentiality, and ensuring the security of patient data.
Users are required to:
• Ensure that all patient data shared via the App complies with local regulations.
• Report any suspected data breaches to MedPlanner immediately.
• Provide patients with information about how their data is collected and used.
12. Changes to This Policy
MedPlanner reserves the right to update this policy to reflect changes in laws or practices. Users will be notified of any significant changes to this policy.
13. Contact Information
If you have any questions or concerns about this Patient Data Protection Policy, please contact us at:
MedPlanner Sdn Bhd
Email: contact@medplanner.io
By using the MedPlanner clinical messaging app, you agree to comply with this Patient Data Protection Policy and the relevant data protection laws in your country.
​
​
​