Main Article Content
As of June 2022, the Thai Personal Data Protection Act BE 2019 (PDPA) has been effective after delaying for a few years due to the COVID-19 pandemic. However, the excitement and wariness seemed to fade as time passed without apparent enforcement.
Many readers may know that the Thai PDPA is aligned with European General Data Protection Regulation (GDPR), which has been effective since 2018. Since then, there have been quite a few cases of GDPR enforcement that we can learn. One recent case is related to journal publication.
The case occurred in 2021; a physician was fined €5,000 for publishing a patient's medical records without obtaining that patient’s specific consent. The story is as follows:
“The physician downloaded medical records about a patient she treated at a local hospital from the hospital’s online archive system, including images taken during surgery. The physician used these records for a presentation at a medical conference and also included them as documentation supporting a scientific research paper she submitted for a competition hosted by a surgeons’ association. The physician’s paper was ultimately selected as the winner of that competition, resulting in the publication of her work on the association’s website”1
The Italian GDPR supervisory committee found the physician to be guilty with following reasons:
1) Lack of valid consent: GDPR and Thai PDPA state that there is an exemption of consent for using patient data for scientific research purposes. However, a case presentation (as well as a case report) is not scientific research. So, the patient’s consent is needed.
2) Lack of authorization: Although GDPR and Thai PDPA state that there is an exemption of consent for using patient data for scientific research. The exemption is for the data controller, which is the hospital. So, the physician should have asked permission from hospital authorization to use the patient’s data. However, the physician personally acquired the data without proper authorization.
3) Failure to effectively anonymize the data: In GDPR and Thai PDPA, there is a statement that whenever a patient’s data is used, proper de-identification procedures are needed to ensure that there is no direct or indirect identification. However, the physician presented the patient’s initials, age, details of hospitalizations, medical history, and several images from the patient’s surgery. All of this information combined together were considered indirect identification.
4) Open dissemination of health data: This is similar to the article in Thai Health Act BE 2007. The physician presented indirect identifiable patient health data at a medical conference and published on website. So, the physician violated both the professional ethical code and GDPR.
It is to be noted that the nature of the clinical case report is very similar to this case. Elsevier, a publishing group, also required informed consent for case report publication.2 To comply with PDPA, after June 1, 2022, RMJ will required patient’s informed consent or Certificate of Ethics Approval (which states that there is proper informed consent) for any case report or case series that would like to be published.
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Mele GR, Quathem KV. Italian Supervisory Authority Fines Physician for Secondary Use of Patient Data Without Specific Consent. Covington. May 27, 2021. Accessed June 1, 2022. https://www.insideprivacy.com/gdpr/italian-supervisory-authority-fines-physician-for-secondary-use-of-patient-data-without-specific-consent/
Eve K, Fennell C, Rees M. The case for consent: a primer on patient privacy and informed consent. Elsevier. September 15, 2021. Accessed June 1, 2022. https://www.elsevier.com/connect/authors-update/the-case-for-consent-a-primer-on-patient-privacy-and-informed-consent