Medical Information & Other Non-Clinical Information in Medical Records Subject to PDPA’s Mandatory Data Breach Notification Requirements

7 December 2023

This webpage provides clarifications on the types of medical information listed in the Personal Data Protection (Notification of Data Breaches) Regulations 2021.

In 2021, the Personal Data Protection Commission (PDPC) introduced the Personal Data Protection (Notification of Data Breaches) Regulations that set out mandatory data breach notification requirements. These include a list of prescribed classes of data deemed to be of significant harm to the affected individuals (“whitelist”) and would therefore be subject to breach notification requirements, as well as how organisations shall notify affected individuals and relevant authorities in the event of a data breach.

Specified Medical Information

One of the categories of data in the PDPA whitelist contains specified medical information. Table 1 provides such types of medical information and examples subject to breach notification requirements if breached.

Table 1: Prescribed classes of medical information in PDPA Regulations

Prescribed classes of specified medical information in PDPA regulations	Specific data types/examples
18. The assessment, diagnosis, treatment, prevention or alleviation by a health professional of any of the following affecting an individual:
(a) any sexually transmitted disease, such as Chlamydial Genital Infection, Gonorrhoea and Syphilis;	Chlamydial genital infection Gonorrhoea Syphilis
(b) Human Immunodeficiency Virus Infection;	HIV
(c) Schizophrenia or delusional disorder;	Schizophrenia Delusional disorder
(d) substance abuse and addiction, including drug addiction and alcoholism.	Substance abuse (opioid abuse, inhalant abuse) Substance addiction (drug addiction, alcoholism)
19. The provision of treatment to an individual for or in respect of - (a) the donation or receipt of a human egg or human sperm; or	Sperm donor Sperm recipient Egg donor Egg recipient
(b) any contraceptive operation or procedure or abortion.	Contraception operation or procedure Abortion information
20. Any of the following: (a) subject to section 4(4)(b)¹ of the Act, the donation and removal of any organ from the body of the deceased individual for the purpose of its transplantation into the body of another individual; (b) the donation and removal of any specified organ from the individual, being a living organ donor, for the purpose of its transplantation into the body of another individual; the transplantation of any organ mentioned in sub paragraph (a) or (b) into the body of the individual.	Organ donation and receipt (identity of organ donor, identity of organ recipient) Transplant, transplant-related complications (e.g. liver transplant rejection)

¹Section 4(4)(b) of the PDPA – 4(4) This Act shall not apply in respect of - (b) personal data about a deceased individual, except that the provisions relating to the disclosure of personal data and section 24 (protection of personal data) shall apply in respect of personal data about an individual who has been dead for 10 years or fewer.

Other Types of Non-Clinical Information in Medical Records

Table 2 lists types of non-clinical information that may be found in medical records and which are also subject to the PDPA’s breach notification rules.

Table 2: Types of non-clinical information that can be found in medical records

Prescribed classes of non-clinical information in PDPA regulations	Specific data types/examples
21. Subject to section 4(4)(b) of the Act, the suicide or attempted suicide of the individual.	Suicide or attempted suicide
22. Domestic abuse, child abuse or sexual abuse involving or alleged to involve the individual.	Domestic abuse, child abuse or sexual abuse

Organisations can refer to the PDPA legislation, and the Personal Data Protection (Notification of Data Breaches) Regulations 2021 for details on the operational and notification requirements, as well as the other prescribed classes of information subject to mandatory data breach notification requirements.