Thursday, June 4, 2020

BASICS OF DATA PROTECTION & PRIVACY


In a very dynamic and document loaded environment of a Regulatory affairs officer, it is crucial to at least have some knowledge on Data protection and privacy. Data protection (or information privacy) is protecting the processing of individuals personal data including the prevention of data loss and corruption. It is also considered as a safeguard to the processing on individuals information including making it current in a dynamic environment and considered everybody’s responsibility in a company including that of the Regulatory affairs.
Data privacy covers Personally Identifiable Information (PII). These are data that can be linked to a specific individual and in the wrong hands, the data could be used for illegal purposes like to steal identity for theft. Protecting PII therefore is the heart of data protection especially the data that are considered “sensitive PII” that includes: Home address, bank account numbers, birthdate, phone number, health data and financial data. Protecting PII though is complicated even with protocols in place, there will always be risks involved so it is important to remember PII as an assert, a responsibility and a liability.
Understanding Data protection and privacy also means understanding what Data controller and Data subjects are. Data controllers are those who are specifically responsible for processing personal information like an insurance provider, the CDRRHR and a local bank branch, a company is a data controller for both customers and employees while a Data subject are the individuals linked to the PII in the data, example are credit card holders and hospital patients. The Data controllers then process the information and there is a generic way on how data are processed. First is the collection of data, an example of this is when the FDA collects our personal information and documents as the designated Regulatory affairs officer for the company. Second is use, confirmation of the identity is an example of use like when FDA verifies with the Professional Regulations Commission (PRC) the details of the professional license of the Pharmacist. Third is disclosure, an example of this is when our company discloses our data to our health insurance providers as part of health benefits. Fourth is maintenance, this is when the Human resources maintains and updates copies of our credentials as an employee which maybe in a paper file or a digital file. Fifth is disposal when the old documents containing PII need to be shredded, this has to be disposed responsibly, observing security precautions.

Best Practices in Data Privacy & Protection
       In Data privacy and protection, there are best practices that will guide us on how to keep data safe. First is to be open on how data are being collected, there should be openness. Second is the limitation in collection, collection should only be made in the knowledge or consent of the data subject; there must be restrictions and collection must be done in a legal method only. Third is to specify the purpose and limits, information not needed should not be asked in the first place. Fourth is access and correction, if the data collected from the subject is wrong, a correction must be made as soon as possible. Fifth is data quality, this is where keeping relevant data that is accurate, complete and current are observed. Sixth is security practices where PII are safeguarded with measures appropriate to the risk. Last is accountability which ensures compliance to the law.
     A Privacy notice is usually used by a company to communicate to customers, it is part of privacy policy. A published Privacy notice is a commitment to protecting PII and allows customers to opt out on certain data processing activities if he feels against it and therefore demonstrates transparency. This is a good starting point for learning how to conduct business with other organizations.

General Data Protection Regulation (GDPR) of the European Union
      The GDPR is a concept broader than PII in the US. This is a law in Europe in which failure to comply may lead to mega fines of up to 4% of global revenue of the company or 20 million pounds whichever is greater. This law was enacted to have international consistency which should be crucial and clear in a digital economy. This also enforces stricter regulations and penalties which also means a broader scope that covers companies in EU and those companies outside EU but doing business with EU. Also, processors are covered in this law, these are companies processing data on behalf of another company. Some of the companies held by Regulatory affairs professionals at PAMDRAP are actually covered by GDPR.
      A Data protection officer is a specialist person on Data protection compliance and the point person for all the data breaches in the company and required in the GDPR. The Data protection officer helps the Data subject in his rights that are now widened. The strengthen rights of the individual are as follows: First, as data subject, one can now find out how to access his data. Second, how his data is used. Third, how to object to certain types of processing. Fourth, how to request erasure and the fifth is unique to the GDPR which is the right to restriction on data processing.
    The GDPR comes with the EU-US privacy shield, this imposes a stronger obligation to US companies to protect European personal data and replaces the previous Safe harbor agreement. This requires the US to monitor and enforce more robust measures and cooperate with EU data protection authorities. The stricter regulations mean that a Regulatory officer must be guided by the Legal and compliance team and seek guidance when unsure because it is really better safe than sorry.

Health Insurance Portability & Accountability Act (HIPAA) of the United States
       The HIPAA is enforced by the US government under the Department of Health and Human Services unlike the GDPR which is from EU.   HIPAA is the baseline privacy and security standards for medical information, it does not apply though to all health information and to every person who may see or use health information.  There are 3 types of covered entities under HIPAA, these are Health providers, Health plans and Health clearing houses. Health providers are the doctors, dentist, hospitals, nursing homes, and pharmacies but only if they transmit health information electronically in connections to covered transactions, most of these providers though are covered with HIPAA. Health plans are those who pay for the cost of medical care, this includes private health insurance companies, employer sponsored group health plans and government funded health plans like Medicare and Medicaid. Health clearing houses are those that process health information so it may be transmitted in a standardized format among covered entities.  These clearing houses act as a go-between for healthcare providers and health plans so they don’t deal directly with patients that much but note that they are still covered.
       There are other entities as well where HIPAA applies, these are Business associates, Subcontractors and Hybrid entities. Business associates are those that perform various functions for a company like legal, customer service, clinical research organizations (very common in the Philippines) and billing. Subcontractors are those that creates, maintains and transmits protected health information (PHI) on behalf of a Business associate and has therefore the same legal responsibilities as a Business associate like those workers shredding company documents hired by the Business associates. Lastly, Hybrid entities are those that performs HIPAA covered and uncovered functions as part of its business, an example of this is an in-store pharmacy (like Watson’s in the Philippines) located in a supermarket.
     As discussed, there are parties who need not comply with HIPAA, these are life insurance, automobile insurance plans, gym and fitness club, most schools and most law enforcement agencies. The health information covered by HIPAA includes any information that is created or received by a healthcare provider, health plan, public health authority, employer, life insurance company, genetic information, school or university or healthcare clearing houses. It should be noted that this information covers any form or medium including paper, electronic and oral information. The information must also relate to a person’s past, present, or future; physical or mental health or condition; the treatment provided to a person or the past, present or future payment for healthcare an individual receives.
     In HIPAA there is an identifiable health information, this is the health information that identifies or that can be used to identify a person like name, address, date of birth and SSN, HIPAA covers these. HIPAA privacy rule on PHI also covers conversations and has the same data protection as written forms. However, HIPAA security rule requires covered entities to establish data security measures only for PHI that is maintained in an electronic format, called Electronic protected health information (ePHI). HIPAA doesn’t apply to employment records, even if it includes medical information but if employee becomes ill and therefore turns into a patient, it applies. Another one not covered by HIPAA are those under Family Educational Rights and Privacy Act (FERA) like the child elementary records with school nurse visits and those that are dead for 50 years or more. Protecting data is the business of everybody including the Regulatory affairs and in cases of breach one needs to contact the management, legal compliance, privacy officers or IT.

Republic Act 10173 or The Data Privacy Act (DPA) of 2012 of the Philippines
       The Philippines is one of the top users of the web around the world, it is therefore appropriate that the country should have measures in place to protect the data of the Filipinos. The Philippines is also trying to comply with ASEAN 2020 and to help the Business Process Outsource (BPO) industry that is providing so much jobs to Filipinos, therefore the FDPA of 2012. The law covers institutions involved in the processing of personal data located in the Philippines; if the act or practice involves personal data of a Philippine citizen or Philippine resident; if the act, practice or processing of personal data is done by an entity that links to the Philippines and if the processing of personal data is done in the Philippines. The processing activities covered involves: collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure and destruction of data.
       Data protection is new in the Philippines, in fact the rule making body was just established last 2016, this is the National Privacy Commission (NPC). The NPC serves as the advisory body on all matters about data protection, NPC also launches initiatives for public education on data protection, fair information rights and responsibilities. NPC is also involved in compliance and monitoring, where it is tasked to manage registration of personal data processing systems. Lastly, NPC is also involved in complaints, investigations and enforcements of data privacy related matters. Registration of data processing systems is not mandated if an individual or institution is employing fewer than 250 employees unless sensitive personal information of at least 1000 individuals are processed.
       Compliance to registration includes notification of automated processing operations, appointment of data protection officer, adoption of data protection policies that provide for data security measures and security incident management, annual report of the summary of documented security incidents and personal data breaches and other compliance that may arise based on the judgement of NPC. DPA requires data breach notification from the data protection officer within 72 hours upon knowledge of the breach.
       Data protection and privacy has now been part of our corporate lives and it matters to follow them to protect not only the company we work for and ourselves but most importantly the privacy of the people whose data are processed everyday not only confined to the Philippine medical device industry.

No comments:

Post a Comment