Hidden Title

Home > Publicity and Promotion > eHealth News > Building Trust: Personal Data Privacy in the eHRSS   back to main page

Building Trust: Personal Data Privacy in the eHRSS

 
Mr Stephen Wong Kai-yi

“Personal data protection under the Electronic Health Record Sharing System (eHRSS) is about fostering trust between healthcare providers (HCPs) and patients, and the trust can over time be translated into a business brand for HCPs, which represents an added incentive for patronage.”

Mr Stephen Wong Kai-yi,
Privacy Commissioner for Personal Data
 

While there are clearly multiple benefits for patients and HCPs through record sharing in the eHRSS, health records do contain considerable sensitive personal data that requires great care and protection. Mr Wong said there is a need to strike a balance between free flow of medical information and data privacy protection.

He said the balance would be achieved through legal compliance, establishing accountability in data protection by data users as part of corporate governance, and educating both data subjects and users.

Noting that HCPs, as data users, have greater responsibilities towards data protection under the eHRSS, Mr Wong said data privacy protection is not just about managing privacy risk in relation to personal data, but also about building trust with and instilling confidence in patients.

balance between free flow of medical information and data privacy protection
There is a need to strike a balance between free flow of medical information and data privacy protection
“HCPs should know that strong data privacy and security practices can earn them a good brand and business reputation. Patients will be more willing to authorise the uploading of and access to their health records, feeling reassured that privacy of the data they share through the system will not be compromised,” he said.
 
“It is an edge that can bring more businesses for HCPs and more benefits for patients. The outcome is a win-win situation,” he added.
 
Legal Compliance


As far as data privacy is concerned, data users of the eHRSS have to comply with the requirements of two ordinances – the Electronic Health Record Sharing System Ordinance (eHRSSO) and the Personal Data (Privacy) Ordinance (PDPO).

Explaining how the eHRSSO and the PDPO work, Mr Wong said, “The eHRSSO protects data privacy by setting out strict requirements on the use of the eHRSS and the health records contained. It also includes specific offences relating to accessing, damaging or modifying data in the system. Meanwhile, the PDPO provides comprehensive protection to personal data privacy in Hong Kong.”

“The PDPO and the eHRSSO complement each other and work hand-in-hand to provide dual protection to citizens participating in the eHRSS,” said Mr Wong.

“The six Data Protection Principles are embraced in these provisions, which data users have to observe,” he added.


comply with the requirements of two ordinances
As far as data privacy is concerned, data users of the eHRSS have to comply with the requirements of two ordinances - the Electronic Health Record Sharing System Ordinance (eHRSSO) and the Personal Data (Privacy) Ordinance (PDPO)
 
Six Data Protection Principles
 
Six Data Protection Principles (DPPs) represent the core of the PDPO covering the life cycle of a piece of personal data, which include:
 
(1) Data Collection Principle; (2) Accuracy & Retention Principle;
(3) Data Use Principle; (4) Data Security Principle;
(5) Openness Principle; and (6) Data Access & Correction Principle.
 
To learn more about the PDPO and the six DPPs, please visit the PCPD website.

https://www.pcpd.org.hk/english/data_privacy_law/ordinance_at_a_Glance/ordinance.html

 
Accountability as Corporate Governance
 
Mr Wong believes that data privacy protection goes beyond legal compliance and data users of the eHRSS should assume greater accountability.
 
“Instead of leaving the task to junior staff, data users should take a top management responsibility in enhancing protection measures as part of good corporate governance,” he stressed.
 
Mr Wong suggested eHRSS data users can consider setting up a comprehensive Privacy Management Programme, an idea promulgated by the Office of the Privacy Commissioner for Personal Data (PCPD) and piloted among organisational data users in Hong Kong.
 
According to the PCPD, a Privacy Management Programme demonstrates a top management commitment in data privacy protection, which should be integrated into an organisation’s governance structure. Among other things, it establishes policies and procedures to give effect to the legal requirements, includes plans for responding to breaches and incidents, and incorporates review mechanisms.
 
“Data privacy protection is not merely a legal compliance issue. It should be a corporate policy and pledge, and can contribute to brand building and reputation enhancement,” Mr Wong commented.
 
Education
 
Public education on data privacy is a task that cannot be understated in operating the eHRSS. Mr Wong noted that a lot of people, including HCPs and patients, are aware of the system but do not know the details well, thus harbouring some unreasonable expectations.
 
He said, “We need to increase their understanding of the operation of the system and the implications of sharing data.”
 
“A key message we are promoting is to protect and respect personal data, as we should aim at not just raising awareness, but fostering a deeper understanding and a mindset change in data protection.”
 
Summing up the roles of the different parties in data protection relating to the eHRSS, Mr Wong said, “HCPs build business reputation by having strong data privacy management, the Electronic Health Record Office (eHR Office) supervises the operation of the eHRSS to safeguard data privacy, while the PCPD monitors compliance and repairs situations,” he said.
 
PCPD Substantially Involved in the eHRSS
 
Given the huge volume and sensitive nature of health records stored in the eHRSS, the Government has attached great importance to data privacy and security in developing the system. Mr Wong said during the development stage, the PCPD and the eHR Office collaborated in addressing the concerns over data protection.
 
“We communicated and worked closely throughout the development of the eHRSS to ensure a smooth commencement of the eHRSS. We gave our views, held briefings and shared our experience in some cases we handled. It was a smooth collaboration,” he said.
 
With the eHRSS now in operation, the PCPD continues to provide their support in relation to personal data protection in respect of:
 
  •  
  handling complaints and initiating investigations if necessary;
  •  
  carrying out inspections of the eHRSS if necessary;
  •  
  providing guidance on personal data privacy; and
  •  
  handling data breach notifications.
 
Future eHR Development and Data Privacy
 

The Government has planned to expand the scope of sharable data in Stage Two development of the eHRSS. The tentative scope of Stage Two also includes enhancing patients’ choice over data sharing and developing a patient portal to facilitate patient access to health data.

Anticipating that an expanded scope will present greater challenge to data privacy and security, Mr Wong pointed out that the current international trend is to give individuals more control of their data privacy.

“‘Data Protection in Your Hands’ is what the PCPD is advocating now,” said Mr Wong, stressing that data subjects, including patients, should be empowered to take control of their data privacy. This would enable them to act and decide, and to opt in and out anytime.

Public education on data privacy is a task
Public education on data privacy is a task that cannot be understated in operating the eHRSS
Mr Wong said the PCPD will continue to contribute views in ensuring data privacy can be enhanced when details of the Stage Two programme are available. “Given the good track record of the Stage One programme, we have confidence in the work in this respect,” he added.
 
Advice for HCPs and Patients


The PCPD has published information leaflets on the eHRSS for the reference of HCPs, healthcare professionals and patients. Practical information on data privacy protection can be found in these leaflets.

  •  
Personal Data (Privacy) Ordinance and Electronic Health Record Sharing System (Points to Note for Healthcare Providers and Healthcare Professionals)
   
  •  
Electronic Health Record Sharing System and Your Personal Data Privacy (10 Privacy Protection Tips)

information leaflets
 
Transcending the Boundaries of Healthcare
Read next
Transcending the Boundaries of Healthcare
 
Transcending the Boundaries of Healthcare
Transcending the Boundaries of Healthcare
A private hospital’s perspective on eHR sharing
eHR for Senior Citizens
eHR for Senior Citizens
Improving healthcare for the elderly through eHRSS
Finding eHRSS Healthcare Providers
Finding eHRSS Healthcare Providers
Introducing the HCP Register
Protecting Security and Privacy of Personal Data in the eHRSS
Protecting Security and Privacy of Personal Data in the eHRSS
Security and privacy protection requirements that users need to know
fffffff
Engaging the Private and Non-government Sectors
Engagement and Promotion Activities of eHRSS
Fun Quiz - Chance to Win a Prize
subscribe ehealth newsletter
Download Previous eHealth News

Explanation of WCAG 2.0 Level Double-A Conformance
Top