PDPA: Personal Data in Medical Certificates Defined by the Medical Council

Thailand’s Personal Data Protection Act B.E. 2562 (2019) (PDPA), effective June 1, 2023, governs the handling of personal data, including sensitive health information, with exemptions for medical purposes. The Subcommittee under the Personal Data Protection Committee has addressed the Medical Council’s inquiry about its standardized medical certificate forms, balancing professional standards with privacy compliance. This analysis outlines the facts, the subcommittee’s rulings, and the compliance implications.

Factual Background:

The Medical Council, established under the Medical Profession Act B.E. 2525 (1982), regulates medical practice standards per Section 7, including two medical certificate forms: (1) a health check certificate (2561/2018 version) and (2) a driver’s license certificate (2564/2021 version). Each form has two parts: Part 1, completed by the patient (e.g., name, address, congenital diseases), and Part 2, completed by the doctor. Part 1 ensures accurate health history for first-time patients without prior records. The council seeks clarification on PDPA compliance for patient self-reported sensitive data, third-party disclosure by patients, and form improvements.

Subcommittee Decisions:

The subcommittee ruled on three issues:

1. Patient Self-Reported Sensitive Data in Part 1
   • Healthcare facilities, as data controllers, collect health data (e.g., congenital diseases) under PDPA, Section 26(5)(a), exempt from consent when necessary for legal duties (e.g., Medical Profession Act B.E. 2525 (1982)), preventive medicine, occupational health, diagnosis, treatment, or healthcare system management. Alternatively, Section 24(3) applies for patient-doctor contractual obligations, or Section 26(5)(a) for professional confidentiality. The council’s forms—requiring patients to input and sign off on personal data like name, address, and health history—fit these exemptions. Collection is lawful if limited to what’s necessary for the certificate’s purpose (e.g., epilepsy history for driving safety, per transport regulations). For new patients lacking records, self-reporting ensures accuracy, avoiding misleading certificates. Thus, this aligns with PDPA, Sections 24 and 26, provided data is purpose-specific and proportionate, per Section 22.
2. Disclosure to Third Parties by Data Subjects
   • The National Health Act B.E. 2550 (2019), Section 7, deems health data confidential, barring disclosure that harms the individual unless consented or legally mandated. PDPA Section 26 and Section 27(1) echo this, prohibiting controllers from disclosing health data without explicit consent, except under exemptions. However, neither law restricts data subjects (patients) from sharing their own data. PDPA Section 30 grants data subjects access to their data, implying freedom to disclose it (e.g., to employers, and authorities). Thus, patients can share their certificates with third parties without PDPA or National Health Act violations, as this is their prerogative, not the controller’s action.
3. Recommendations for Certificate Forms
   • Health data’s sensitivity (potentially impacting rights and freedoms) requires recipients (e.g., employers, and agencies) to secure it per PDPA, Section 37. The subcommittee suggests the council add guidance on forms or issue best practices for certificate use, ensuring third parties handle data appropriately and align with collection purposes. This enhances compliance without altering the forms’ structure, maintaining their professional utility.

Implications for Compliance:

The council’s forms comply with PDPA by leveraging medical exemptions, requiring only necessary data, and allowing patient disclosure flexibility. Healthcare facilities must ensure purpose-driven collection, while third-party recipients bear security duties. Adding guidance strengthens the ecosystem, aligning professional standards with privacy protections.

Key Takeaways:

• Exemptions Enable Self-Reporting: Patient data in Part 1 is lawful under Section 26(5)(a) or Section 24(3) for medical purposes, no consent is needed if necessary (Section 22).
• Patient Disclosure Is Unrestricted: Patients can share certificates freely per Section 30, unbound by PDPA or National Health Act restrictions on controllers.
• Guidance Enhances Security: Adding recommendations ensures third-party compliance with Section 37, safeguarding sensitive data.
• Necessity Rules Collection: Data must match certificate purposes (e.g., driving safety), balancing medical needs with privacy.

This ruling affirms the council’s approach, integrating PDPA exemptions with medical practice while suggesting proactive steps to protect data downstream.