In a very dynamic and document loaded
environment of a Regulatory affairs officer, it is crucial to at least have
some knowledge on Data protection and privacy. Data protection (or information
privacy) is protecting the processing of individuals personal data including
the prevention of data loss and corruption. It is also considered as a
safeguard to the processing on individuals information including making it
current in a dynamic environment and considered everybody’s responsibility in a
company including that of the Regulatory affairs.
Data privacy covers Personally Identifiable
Information (PII). These are data that can be linked to a specific individual
and in the wrong hands, the data could be used for illegal purposes like to
steal identity for theft. Protecting PII therefore is the heart of data
protection especially the data that are considered “sensitive PII” that
includes: Home address, bank account numbers, birthdate, phone number, health
data and financial data. Protecting PII though is complicated even with
protocols in place, there will always be risks involved so it is important to
remember PII as an assert, a responsibility and a liability.
Understanding Data protection and privacy also
means understanding what Data controller and Data subjects are. Data
controllers are those who are specifically responsible for processing personal
information like an insurance provider, the CDRRHR and a local bank branch, a
company is a data controller for both customers and employees while a Data
subject are the individuals linked to the PII in the data, example are credit
card holders and hospital patients. The Data controllers then process the
information and there is a generic way on how data are processed. First is the
collection of data, an example of this is when the FDA collects our personal
information and documents as the designated Regulatory affairs officer for the
company. Second is use, confirmation of the identity is an example of use like
when FDA verifies with the Professional Regulations Commission (PRC) the
details of the professional license of the Pharmacist. Third is disclosure, an
example of this is when our company discloses our data to our health insurance
providers as part of health benefits. Fourth is maintenance, this is when the
Human resources maintains and updates copies of our credentials as an employee
which maybe in a paper file or a digital file. Fifth is disposal when the old
documents containing PII need to be shredded, this has to be disposed
responsibly, observing security precautions.
Best
Practices in Data Privacy & Protection
In Data privacy and protection, there
are best practices that will guide us on how to keep data safe. First is to be
open on how data are being collected, there should be openness. Second is the
limitation in collection, collection should only be made in the knowledge or
consent of the data subject; there must be restrictions and collection must be
done in a legal method only. Third is to specify the purpose and limits,
information not needed should not be asked in the first place. Fourth is access
and correction, if the data collected from the subject is wrong, a correction
must be made as soon as possible. Fifth is data quality, this is where keeping
relevant data that is accurate, complete and current are observed. Sixth is
security practices where PII are safeguarded with measures appropriate to the
risk. Last is accountability which ensures compliance to the law.
A Privacy notice is usually used by a
company to communicate to customers, it is part of privacy policy. A published
Privacy notice is a commitment to protecting PII and allows customers to opt
out on certain data processing activities if he feels against it and therefore
demonstrates transparency. This is a good starting point for learning how to
conduct business with other organizations.
General
Data Protection Regulation (GDPR) of the European Union
The GDPR is a concept broader than PII in
the US. This is a law in Europe in which failure to comply may lead to mega
fines of up to 4% of global revenue of the company or 20 million pounds
whichever is greater. This law was enacted to have international consistency
which should be crucial and clear in a digital economy. This also enforces
stricter regulations and penalties which also means a broader scope that covers
companies in EU and those companies outside EU but doing business with EU. Also,
processors are covered in this law, these are companies processing data on
behalf of another company. Some of the companies held by Regulatory affairs
professionals at PAMDRAP are actually covered by GDPR.
A Data protection officer is a specialist
person on Data protection compliance and the point person for all the data
breaches in the company and required in the GDPR. The Data protection officer
helps the Data subject in his rights that are now widened. The strengthen
rights of the individual are as follows: First, as data subject, one can now
find out how to access his data. Second, how his data is used. Third, how to
object to certain types of processing. Fourth, how to request erasure and the
fifth is unique to the GDPR which is the right to restriction on data
processing.
The GDPR comes with the EU-US privacy
shield, this imposes a stronger obligation to US companies to protect European
personal data and replaces the previous Safe harbor agreement. This requires
the US to monitor and enforce more robust measures and cooperate with EU data
protection authorities. The stricter regulations mean that a Regulatory officer
must be guided by the Legal and compliance team and seek guidance when unsure because
it is really better safe than sorry.
Health
Insurance Portability & Accountability Act (HIPAA) of the United States
The HIPAA is enforced by the US
government under the Department of Health and Human Services unlike the GDPR
which is from EU. HIPAA is the baseline
privacy and security standards for medical information, it does not apply
though to all health information and to every person who may see or use health
information. There are 3 types of
covered entities under HIPAA, these are Health providers, Health plans and
Health clearing houses. Health providers are the doctors, dentist, hospitals,
nursing homes, and pharmacies but only if they transmit health information
electronically in connections to covered transactions, most of these providers
though are covered with HIPAA. Health plans are those who pay for the cost of
medical care, this includes private health insurance companies, employer
sponsored group health plans and government funded health plans like Medicare
and Medicaid. Health clearing houses are those that process health information
so it may be transmitted in a standardized format among covered entities. These clearing houses act as a go-between for
healthcare providers and health plans so they don’t deal directly with patients
that much but note that they are still covered.
There are other entities as well where
HIPAA applies, these are Business associates, Subcontractors and Hybrid
entities. Business associates are those that perform various functions for a
company like legal, customer service, clinical research organizations (very
common in the Philippines) and billing. Subcontractors are those that creates,
maintains and transmits protected health information (PHI) on behalf of a
Business associate and has therefore the same legal responsibilities as a
Business associate like those workers shredding company documents hired by the
Business associates. Lastly, Hybrid entities are those that performs HIPAA
covered and uncovered functions as part of its business, an example of this is
an in-store pharmacy (like Watson’s in the Philippines) located in a
supermarket.
As discussed, there are parties who need
not comply with HIPAA, these are life insurance, automobile insurance plans,
gym and fitness club, most schools and most law enforcement agencies. The
health information covered by HIPAA includes any information that is created or
received by a healthcare provider, health plan, public health authority,
employer, life insurance company, genetic information, school or university or
healthcare clearing houses. It should be noted that this information covers any
form or medium including paper, electronic and oral information. The
information must also relate to a person’s past, present, or future; physical
or mental health or condition; the treatment provided to a person or the past,
present or future payment for healthcare an individual receives.
In HIPAA there is an identifiable health
information, this is the health information that identifies or that can be used
to identify a person like name, address, date of birth and SSN, HIPAA covers
these. HIPAA privacy rule on PHI also covers conversations and has the same
data protection as written forms. However, HIPAA security rule requires covered
entities to establish data security measures only for PHI that is maintained in
an electronic format, called Electronic protected health information (ePHI).
HIPAA doesn’t apply to employment records, even if it includes medical
information but if employee becomes ill and therefore turns into a patient, it
applies. Another one not covered by HIPAA are those under Family Educational
Rights and Privacy Act (FERA) like the child elementary records with school
nurse visits and those that are dead for 50 years or more. Protecting data is
the business of everybody including the Regulatory affairs and in cases of
breach one needs to contact the management, legal compliance, privacy officers
or IT.
Republic
Act 10173 or The Data Privacy Act (DPA) of 2012 of the Philippines
The Philippines is one of the top users
of the web around the world, it is therefore appropriate that the country
should have measures in place to protect the data of the Filipinos. The
Philippines is also trying to comply with ASEAN 2020 and to help the Business
Process Outsource (BPO) industry that is providing so much jobs to Filipinos,
therefore the FDPA of 2012. The law covers institutions involved in the
processing of personal data located in the Philippines; if the act or practice
involves personal data of a Philippine citizen or Philippine resident; if the
act, practice or processing of personal data is done by an entity that links to
the Philippines and if the processing of personal data is done in the
Philippines. The processing activities covered involves: collection, recording,
organization, storage, updating or modification, retrieval, consultation, use,
consolidation, blocking, erasure and destruction of data.
Data protection is new in the
Philippines, in fact the rule making body was just established last 2016, this
is the National Privacy Commission (NPC). The NPC serves as the advisory body
on all matters about data protection, NPC also launches initiatives for public
education on data protection, fair information rights and responsibilities. NPC
is also involved in compliance and monitoring, where it is tasked to manage
registration of personal data processing systems. Lastly, NPC is also involved
in complaints, investigations and enforcements of data privacy related matters.
Registration of data processing systems is not mandated if an individual or
institution is employing fewer than 250 employees unless sensitive personal
information of at least 1000 individuals are processed.
Compliance to registration includes
notification of automated processing operations, appointment of data protection
officer, adoption of data protection policies that provide for data security
measures and security incident management, annual report of the summary of
documented security incidents and personal data breaches and other compliance
that may arise based on the judgement of NPC. DPA requires data breach
notification from the data protection officer within 72 hours upon knowledge of
the breach.
Data protection and privacy has now been
part of our corporate lives and it matters to follow them to protect not only
the company we work for and ourselves but most importantly the privacy of the
people whose data are processed everyday not only confined to the Philippine medical
device industry.
No comments:
Post a Comment