The highly regulated healthcare industry often involves intensive data collection and processing activities. Across Asia data protection measures continue to come into force and develop that require multinational healthcare organisations to adhere to a range of requirements to satisfy national security and individual data protection concerns. 

Here, we look at some developments and requirements in China, Japan and Singapore, and the implications for the healthcare industry. 

China: data security for healthcare

Perhaps one of the most wide-ranging regimes, some of which are akin to the EU’s GDPR, three milestone laws have come into effect recently in China, the Cybersecurity Law (2017), the Data Security Law (2021) and the Personal Information Protection Law (2021). They demonstrate the Chinese government's aim in enhancing data protection supervision, specifically with respect to data security and national security. Following these laws, China has also recently finalised a range of measures to provide further guidance on their implementation. Such as the Security Assessment Measures for Cross-Border Data Transfers, unveiling the last piece of the puzzle for cross-border data transfer. 

Healthcare data (such as medical, genetic, and biometric data) is sensitive personal information, which is subject to a higher level of protection under China’s data protection laws. Processing sensitive personal information may require the data handlers (a concept under the PIPL, similar to data controllers under EU’s GDPR) to do several things based on what it is and how much data they are handling including ensuring data subjects have given their informed and separate consent, undergoing a security assessment approved by the government authority, and entering into a data transfer agreement with the overseas recipient based on a “standard contract” published by the government authority to name a few. 

Todd Liao

Sylvia Hu

Japan: hospitals in the private and public sector

For global healthcare companies in the private or public sector that process personal information in Japan and/or import personal information from Japan, there are new requirements under the Act on the Protection of Personal Information (APPI). Key features of recent updates to the APPI include the requirement of informed consent for cross-border transfer of personal information; clarification of mandatory report and notification of data breach; the introduction of “personally referable information” and “pseudonymously processed Information”; in addition to increased criminal penalties and the most recent addition of a requirement for government-run hospitals and universities to be subject to the rules applied to the private sector.

They require the review of existing agreements and policies in order to ensure compliance. It should also be noted that any data breach involving “special care-required information,” including medical history, requires a report to the Japanese government (PIPC) and a notification to the concerned individuals. Businesses obtaining personal data from government-run hospitals or universities in Japan should review their contracts in light of the APPI provisions that are now applicable to those hospitals and universities.

Mitsu Saito​​​​​​​

Singapore: healthcare data protection

Recent amendments to Singapore’s Personal Data Protection (Amendment) Act 2020, are among some of the most significant since it first became effective in July 2014, will have a significant impact on healthcare providers.

Amendments that became effective on 1st February 2021 range from introduction of a mandatory data breach notification requirement, to expansion of the scope of deemed consent and the inclusion of additional exceptions to express consent. This is in addition to the introduction of criminal offences. Furthermore, from 1st October 2022, the maximum financial penalty for breaches of the PDPA will also be increased. 

A data breach involving certain classes of medical data and insurance information is deemed to be a data breach causing, or likely to cause, significant harm, and thus constitutes a breach requiring notification to the Personal Data Protection Commission. Moreover, given the number of patients a healthcare organisation often handles, it is very possible that it would affect 500 or more individuals, which would also make it a notifiable breach. Healthcare providers should therefore ensure that they have robust data breach plans in place, and take remedial action promptly in the event of a breach. It is also prudent to review existing personal data and data retention policies and update them to incorporate the new requirements relating to consent.

Healthcare providers that use data intermediaries should also review existing data transfer agreements or data processing agreements to ensure they contain the necessary contractual protections, including appropriate warranties and obligations, to protect the healthcare provider in the event of a data breach. 

Vanessa Ng

Bernard Lui

Conclusion: healthcare companies and hospitals must be aware of data protection

As can be seen, jurisdictions across Asia have been stepping up their assertiveness in managing the data that flows within its borders and beyond. Healthcare companies, which naturally possess a great deal of sensitive personal information, in particular should take heed and ensure they are aware of their respective obligations throughout the region. 

By partners Moto Araki, Todd Liao, Bernard Lui, Vanessa Ng, and Mitsu Saito, and associates Sylvia Hu and Gina Ng in Asia in global law firm Morgan, Lewis & Bockius’s global healthcare industry group