The Office for Personal Data Protection (GPDP) announced yesterday two referrals from the Health Bureau (SSM) about breaching the city’s Personal Data Protection Law, in which a healthcare entity has been fined 6,000 patacas for not properly protecting the images from its CCTV system and sending, inappropriately, video footage captured to third parties other than the person concerned, while the other has been transferred to the Judiciary Police (PJ) for electronically sending clinical file data to the mainland.
In recent years, according to a GPDP statement, the office has received several complaints and reports related to entities in the health sector, with only a few of them having been found to be in breach of regulations.
The office said in the statement it believes that the two cases are an exception to the rule and that the vast majority of private healthcare facilities such as clinics do pay “adequate” attention to their users’ personal data and ensure it is protected.
The office noted that when the Health Bureau launched the work of the electronic health record (eHR) platform last year, the office began to coordinate with non-public hospitals on their personal data protection work, giving them advice on how to raise their awareness of the importance of personal data protection, review and improve personal data protection policies and comply, in accordance with the law, with the notification obligations stipulated in the Personal Data Protection Law, which, the statement said, achieved “satisfactory results”
Taking into account the problems revealed in a number of cases involving private healthcare entities, with a view to helping the sector raise its level of attention and better protect the personal data of their patients, the office has gradually launched, in recent months, coordinated measures on the personal data protection of private healthcare institutions in Macau by requiring them to take the initiative to review personal data processing policies before the end of October, defining appropriate security measures and implementing them, in addition to complying with their notification obligations under the terms of the Personal Data Protection Law.
According to the statement, private healthcare entities that have failed to complete their review work are urged to carry out their review and possible improvements as quickly as possible, with a view to completing the work of complying with their legally required notification obligations within the stipulated period.
This screenshot taken from the Office for Personal Data Protection (GPDP) website last night shows its office on the 17th floor of China Plaza on Avenida da Praia Grande.
