Complaint Case Notes

編號: 0098/2015/IP

標題: Dentist refused to return or destroy patient’s health records

立案原因: Complaint


    Before Complainant A received his oral examination in a dental clinic, Clinic K, he was requested to provide his personal data to establish his health records.  After the examination, the Complainant expressed that he would like to take some time to consider whether he would receive further treatment.  Later, disputes arose between the Complainant and the clinic staff.  The Complainant was in the view that the clinic staff had attitude problems and worried that his personal data would be abused, and therefore he requested Clinic K to return or destroy all his medical records, but the Clinic refused to do so.


    The information that the Compliant provided included his name, date of birth, ID number, contact numbers, lifestyle habits, health status, and other information, which all are considered as information relating to identified or identifiable natural persons and should be taken as personal data under Article 4(1) of the Personal Data Protection Act (PDPA).  Under Article 7(1) of the same Law, lifestyle habits and health data are sensitive personal data.  In addition, as long as Clinic K processes personal data by automatic means, its processing is subject to the PDPA under its Article 3(1). 
  Since it was the Complainant himself voluntarily completed the health record form provided by the Clinic, the latter, as a consequence, was processing the non-sensitive and sensitive personal data with the consent and authorization given by the data subject, which was in compliance with Article 6 and 7(2)(3) of the PDPA.  In addition, since dentists are allowed to establish patients’ health records under Decree Law 84/90/M of December 31st, the Clinic’s personal data processing is legitimate according to Article 7(2)(1) of the PDPA, which means that processing of data is explicitly allowed by a legal provision or by a provision of a regulation of an organic nature. 
  The Complainant exercised his right to object in order to demand Clinic K either to return or destroy his health records, to which Article 12(1) of the PDPA provided that the right to object should be based on the data subject’s compelling, legitimate and reasonable grounds (except for the purposes of direct marketing or any other form of commercial research).  Although no current legislations govern dental health records, healthcare related legislations—including but not limited to, Regulations for Private Health Units with Hospitalization and Recovery Rooms (Regulamento das unidades privadas de saúde com internamento e sala de recobro), approved by Decree Law 22/99/M of May 31st; Administrative Regulation 17/2012, Functional Areas of Medical Practice (Formas de exercício das areas funcionais da carreira medica); Decree Law 84/90/M of December 31st— and reference document the Working document on the processing of personal data relating to health in electronic health records (EHR) of the Article 29 Data Protection Working Party, do not prohibit doctors from establishing health records.  On the contrary, they have the general obligations to enter the prescribed treatment on patient’s health records. 
  During the first medical consultation patients are normally requested by doctors to provide their personal data, contact information, medical histories, etc.  In addition, health records will be registered during the consultation.  These are normal and common medical practices.  Health records form the basis of medical treatment, acting as the proof of patients’ medical consultation during a particular time period.  Such documents protect the interests of both the doctors and the patients, being a veracious description of the overall status of the patients and a safeguard to the patients’ health that is useful for consultations afterwards.  As such, they act as evidence for future medical disputes, if any, and therefore it is necessary to retain.  In fact, medical staff are bound by professional secrecy and they are liable to liabilities for any violations.  If the Complainant worried abuse of his health records because of the clinic staff’s attitude problems, this could only be regarded as personal opinions and do not serve as sound reasons.  At the present stage, no sufficient proof supports any personal data leaks by the Clinic and therefore the right to object is not based on sufficient grounds. 
  According to the information provided by Clinic K, the health records of patients will be retained until their death.  In fact, it would hardly be informed of patients’ death and leads to permanent retention of health records.  The data retention period is thus unfeasible and out of the question.  For this reason the GPDP has already requested Clinic K to formulate a more operable data retention period, in order to reduce the risks of data leaks and the cost of data retention.  Moreover, since Clinic K adopts the health record forms as its core documents for personal data collection, it should provide the information as laid down by Article 10(1) of the PDPA, for instance, the processing purposes, data recipients and types of recipients, in order to protect the right to information of the data subjects. 


    The GPDP has already informed the Complainant and Clinic K of the investigation results and reminded the latter to improve the processing of patients’ personal data, including establishing a more achievable data retention period and introducing a personal data collection statement on the health record forms, in order to satisfy the right to information of the data subjects.  

Please refer to Article 3, 4, 6, 7, 10 and 12 the Personal Data Protection Act.