This document summarizes a study on the adequacy of data protection in Total Hospital Information Systems (THIS) in Malaysia. The study involved a literature review and qualitative interviews. Key findings include the various actors involved in THIS and uncertainty around how exemptions in the Personal Data Protection Act of 2010 are applied. The study recommends a "360 degree data health check" to understand interrelationships and assess limitations in order to recommend an information governance model for THIS. Dissemination of results is planned for 2012 to provide a blueprint for data protection compliance in Malaysia's healthcare system.

1. Adequacy of data protection in total hospital information system (THIS); THE MALAYSIAN STORY By Noriswadi Ismail Doctoral Researcher in RFID, Data Protection & Privacy MARA Scholar & HeLEX Academic Visitor (1st August 2011 – 19th August 2011)

2. Executive Summary ::: Introduction ::: THIS Brief Background ::: Research Methodology ::: PDPA 2010 ::: 7 Data Protection Principles ::: Observations ::: Interim recommendation ::: Conclusion ::: References

3. Introduction

4. Introduction 10th Malaysian Plan (2010-2014) ::: Transforming delivery of the healthcare system (Streamlining regulatory and service provision rules, reviewing legislation and regulations & review financing options); ::: Increasing quality, capacity and coverage of the healthcare infrastructure (Expanding primary care services, strengthening secondary and tertiary care services and improving provision of healthcare services); ::: Shifting towards wellness and disease prevention, rather than treatment (Expanding the healthy lifestyle campaign and encouraging healthy and active lifestyle); and ::: Increasing the quality of human resources for health

5. THIS Brief Background ::: Integrated and comprehensive information system that manages, processes and retains all data relating to administrative, financial and clinical ::: Dr. Rasiah S., “…Electronic Information System that supports the core business of patient care which enables and facilitates the functions in fulfilling its services…” Source: New Generation Hospitals – IT hospitals, Malaysia’s Health 2005, Ministry of Health, pp 177-186.

6. THIS Brief Background Source: Dr. Nor Bizura Abdul Hamid, Planning and Development Division, Ministry of Health, “HIS – Malaysian Experience” presentation slides, pages 3-5 of 37

7. THIS Brief Background Source: Dr. Nor Bizura Abdul Hamid, Planning and Development Division, Ministry of Health, “HIS – Malaysian Experience” presentation slides, page 25 of 37

8. THIS Brief Background(Application Architecture) Source: Dr Saadon Ibrahim, Privilege Management and Access Controls in HIS Hospitals, Clinical Information Technology Coordinator, Hospital Sultan Ismail, Malaysia, MSC Malaysia IHE Education Session 3/09, Electronic Health Record Privacy, Slide 10 of 47.

9. Research Methodology ::: Literature Review:Journals and policy papers ( 1st August – 19th August 2011) ::: Observations: Malaysian Personal Data Protection Act 2010 (25th July 2011 – 19th August 2011) ::: Qualitative: Semi-structured interview with focused groups – IT Service Providers, Doctors, IT Team, Patients and Users (January 2012-February 2012)

10. Research Methodology ::: Limitation: Most of the literature materials are in medical informatics and information system. Lack of legal materials and multidisciplinary materials on the same (especially on local content – Malaysia’s regime/contour)

11. PDPA 2010 Transborder Data flow? Full / Partial Independence? Data User Forum

13. * Processed for prevention or detection of crime or for the purpose of investigations;

14. * The apprehension or prosecution of offenders;

15. The assessment or collection of any tax or any other imposition of a similar nature;

16. * Processed in relation to information of the physical or mental health of a data subject;

17. * Processed for preparing statistics or carrying out research;

18. * Processed for the purpose of or in connection with any order or judgment of a court;

19. Processed for the purpose of discharging regulatory functions; and

21. Observations ::: Actors in action: Ministry of Health officials, doctors, consultants (local or foreign), patients (local or foreign), third parties (vendors, contractors, service providers and sub-contractors) ::: Many actors, different liabilities ::: Exemption: Ministry of Health officials, Federal and State Government doctors – leads to uncertainty in comprehensively applying the PDPA 201 although these actors are dealing directly with patients (as data subjects) and consultants

22. Observations ::: Consultants: How their relationship is defined in THIS? ::: Patients: How secured the patients’ personal sensitive data are processed, managed and retained throughout THIS? What happens to the data of demised patients? Who owns it? And whether PDPA 2010 addresses the period of retention on the same? ::: Third parties: Is contractual obligations suffice?

23. Observations ::: Transfer of doctors/patients: Whethersuch transfers reach the adequacy level within the PDPA 2010 - is/are yet to be tested. ::: Secondary Opinion: Whether seeking such secondary opinion outside Malaysia deemed to be adequate under the PDPA 2010 - is yet to be tested :::Transborder data flow: Whether such transborder data flow from a Malaysian hospital to another hospital deemed to be regarded as commercial transaction – is yet to be tested

24. Observations ::: THIS dilemma 1:Different hospitals, different service providers (system integrators) – Standardisation challenge ::: THIS dilemma 2: Different policies on the integrated systems, and different levels of information security & privilege access – privilege management ::: THIS dilemma 3: At least, there are 3-4 parties involved in a specific application architecture. A back-to-back arrangement on data protection & privacy compliance is technically sophisticated

25. Interim recommendation ‘360 degree data health check’

26. Interim recommendation ::: Rationale 1: To be able to understand the inter-relationship ::: Rationale 2: To be able to assess the limitations ::: Rationale 3: To be able to recommend workable information governance model for THIS

27. Interim recommendation ::: How to achieve this?: Pilot interview and semi-structured interview (qualitative) ::: Expected period of outcome: By the fourth quarter of 2011 or the latest, first quarter of 2012. ::: Dissemination strategy: Publication in the Malaysian Journal of Public Health and series of workshops & presentations before the Ministry of Health: Expected by first quarter of 2012.

28. References Articles & Policy Papers Dr. Nor Bizura Abdul Hamid of Planning and Development Division, Ministry of Health Malaysia’s presentation on Hospital Information System – Malaysian Experience Dr. Saadon Ibrahim of Clinical Information Technology Coordinator, Hospital Sultan Ismail Malaysia’s presentation on Privilege Management and Access Control in HIS hospitals Economic Transformation Programme – A Roadmap for Malaysia, Chapter 16, healthcare (p1-36) Ganthan Narayana Samy, Rabiah Ahmad and Zuraini Ismail, Threats to Health Information Security, Journal of Information Assurance and Security 5 (2010) 146-153 Health Facts 2009, Health Informatics Centre, Planning and Development Division Ministry of Health Malaysia (July 2010) Sapiah Sulaiman and Rose Alinda Alias, Information Ethics in Malaysia paperless Hospital, Proceedings of the Postgraduate Annual Research Seminar 2006 Suhaila Samsuri, Rabiah Ahmad and Zuraini Ismail, Towards Implementing a Privacy Policy: An Observation on Existing Practices in Hospital Information System, Journal of e-health Management, Vol. 2011 (2011), Article ID345834. The 10th Malaysian Plan (2010-2014)

29. References Book Abu Bakar Munir & Siti Hajar Yasin, Personal Data Protection in Malaysia, Law and Practice, Sweet & Maxwell Asia (2010) Websites MSC Malaysia <www.mscmalaysia.my> PEMANDU, Economic Transformation Programme <http://etp.pemandu.gov.my/> Ministry of Health Malaysia <http://www.moh.gov.my/> Malaysia Health Fact 2009 <http://www.moh.gov.my/images/gallery/stats/heal_fact/healthfact-P_2009.pdf>

30. Conclusion It is hoped that the impact of this research will be able to address the application of PDPA 2010 within the Total Hospital Information System (THIS). It is also hoped that the outcome of dissemination shall become a blueprint headway to responding any potential issues relating to data protection and privacy compliance in Malaysia’s healthcare.

32. Thank YouE: <noriswadi@gmail.com> &<noris@qconsultant.com>