The Australian Healthcare and Hospitals Association (АННА) is bound by the Australian Privacy Principles in the Privacy Act of 1988. The policy defines how healthcare information is to be collected and how personal information is used, along with access control and authorization mechanisms and the security of personally identifiable information using encryption. People are given the right to access the personal information that the АННА holds and can ask to correct the information if incorrect. The Privacy Act establishes 13 principles (APP) and they are:

  • 1. Open and transparent management of personal information
  • 2. Anonymity and pseudonymity
  • 3. Collection of solicited personal information
  • 4. Unsolicited personal information
  • 5. Notification of collecting personal information
  • 6. Uses or disclosures of personal information
  • 7. Direct marketing
  • 8. Cross-border disclosure of personal information
  • 9. Adoption, use or disclosure of government-related identifiers
  • 10. Quality of personal information
  • 11. Security of personal information
  • 12. Access to personal information
  • 13. Correction of personal information

Nigeria (NHA)

Nigeria doesn’t have a widely inclusive healthcare security structure. Rather, it has a few excerpts in its laws and legislations which refer to healthcare privacy. This arrangement is counterproductive and often applied in an ad hoc manner creating confusion. There are several loopholes present in the application of the national healthcare services framework which can leave the insurance services overburdened and leave the people of Nigeria helpless [11]. As of now, laws and arrangements from other sectors of industry not directly related to healthcare provide more security than the healthcare laws themselves. This cannot be a lasting solution. A legitimate structure that oversees the privacy concerns, establishes rules and directs security strategy must be established to ensure patient data privacy in Nigeria. The constitution guarantees the privilege of security in Nigeria and, alongside the National Health Act (NHA), Health Records Officers Act and Code of Medical Ethics, serves to guarantee the protection of each patient in Nigeria. The NHA provides recommendations which make hospital services liable for collection of data and has established rules which define methods of sharing of healthcare data. The NHA of Nigeria is based upon the standards of the HIPAA of the USA. However, in terms of implementation the NHA lags severely with most patient privacy laws only lingering on paper. This is because of the absence of financing, the enormous populace and the absence of trust among patients and medicinal service providers. In any case, Nigeria has a long way to go before they can ensure patient privacy and security.


Russia adopted the Personal Data Law that defines the special legal status of patients in the Russian Federation [12]. This law defines the responsibilities of healthcare personnel, ensures the legitimacy of healthcare data and provides means for redressal in case of violation of rights by way of exposing confidential information. “On the fundamentals of protection of the health of citizens in the Russian Federation.” The patient has the right to:

  • 1. The choice of which doctor and medical organization provides him/her treatment
  • 2. The prevention, diagnosis, treatment and medical rehabilitation in medical institutions in conditions that meet the sanitary-hygienic requirements
  • 3. Receive consultations with doctors and specialists
  • 4. The relief of pain associated with disease and/or medical intervention through available methods and medicines
  • 5. Receive information about his rights and duties, the state of his health and the selection of people to whom can be transferred information about his state of health, in his best interests
  • 6. Receive therapeutic feeding during treatment in stationary conditions
  • 7. Protection of information classified as “medical confidence”
  • 8. Refusal of medical intervention
  • 9. Compensation for harm caused to health consequent to the provision of medical care
  • 10. Access to his lawyer or legal representative for the protection of his rights
  • 11. Access to a clergyman, as well as provision to perform religious rites if they do not violate the rules of the medical institution

In case these rights are violated, an individual can complain to higher authorities like professional medical associates, the head of the institution, the prosecutor’s office and the legislative committee or can even go to the court directly. Information is subject to “medical secrecy,” and the disclosure of any information stored under this is prohibited for every person from colleagues to medical and nonmedical professionals.


Japan uses the Protection of Personal Information Acts to protect its citizens that include the concept of anonymously processed information. A separate act was enacted to cover healthcare data: Act on Anonymously Processed Medical Information to Contribute to Medical Research and Development, which aims at processing a patient’s data anonymously and securely for research purposes. The act provides for the security of patient records and allows redressal in case of violation. The Act to Promote Healthcare and Medical Strategy offers guidance regarding genetic testing and diagnosis which must also be conducted securely.


In China, the Network Security Law regulates that network providers must not disclose, falsify or destroy any personal information they have collected [13]. A network provider cannot divulge personally identifiable information to any third party without getting consent from data owners. However, data of users which cannot be used to re-identify a specific individual can be shared without consent.

The Chinese government later formally released a new regulation called the Information Security Technology and Personal Information Security Specification, referred to as the Specification. The security requirements, from collecting to storing, transferring and displaying the data, are defined in the Specification, though the Specification is a recommended standard, not compulsory. Even though the Specification has defined privacy and security with its phases, it has also added a few situations as exceptions:

  • 1. Academic institutions can act as a personal information controller to perform statistical and academic research which is in the interest of the public. Academic institutions are exempted from obtaining consent for data use from every individual if the results of their research are such that they cannot be used to re-identify a specific person. The results of the statistical and academic research must be de-identified.
  • 2. There is no need to obtain every individual’s consent for data use if the utility of data is directly related to public safety or public health.
  • 3. There is no need to obtain consent from the data owner if certain difficulties are present and the data use is to safeguard major legal rights such as the life and property of another individual.


Privacy breach notification in Canada is covered under the Personal Information Protection and Electronic Documents Act (PIPEDA) that states that private sector organizations are now required to notify affected individuals of any kind of security breach that may be a threat to the individual and report it to the privacy commissioner of Canada. This act stated that the customers should be given control of their data, and the data mobility rights, de-indexing and transparency should be maintained. It asks the firms to use tools for safer and protected data sharing. PIPEDA applies to federally regulated organizations like railways, banks, etc. Provinces like Alberta, British Columbia and Quebec have similar policies. The PIPEDA has incorporated the Canadian Standards Association Model Code (CSA Model Code) into the text of PIPEDA for the Protection of Personal Information. The CSA Model Code establishes ten principles:

  • 1. Accountability
  • 2. Identifying purposes
  • 3. Consent
  • 4. Limiting collection
  • 5. Limiting use, disclosure and retention
  • 6. Accuracy
  • 7. Safeguards
  • 8. Openness
  • 9. Individual access
  • 10. Challenging compliance

These principles are followed by all the firms under the act, protecting all information of the individual received through notes, conversations, videos, etc. If any such breaches occur that have a real risk of significant harm (RROSH) and the company fails to comply with the guidelines, a penalty of around $100,000 (Canadian) will be charged.


As written in Ref. [14], the Personal Information Protection Act (PIPA) serves as a general statute covering data privacy issues in Korea. This act defines the right to information privacy and includes the right to be informed of the processing of personal information and the right to claim damages that result from personal information processing. A patient’s healthcare data are termed as sensitive and confidential information since they can be used to identify a patient’s ideology, belief, political opinions, health and sexual life [15]. Healthcare data processing requires consent from data owners. The transfer and collection of these sensitive data can be done only after consent from the data owner on a separate consent form from the one which gives consent to only processing. The PIPA makes exceptions in a few cases: Personal genome data can be accessed for a criminal investigation, or to provide data to a foreign government to make extradition deals. The controller of healthcare information can use or share data for research purposes only if the data cannot be used to re-identify a specific individual.

No privacy policy is perfect, with each one being a work in progress towards a more robust, scalable and efficient system. Every healthcare privacy policy must have the following characteristics:

  • • Enforce a strict access control policy to help limit access to only a set of qualified authorized individuals [16]
  • • Encrypting healthcare data which are at rest, in transit or in use
  • • Utilizing multi-factor authentication for people wishing to access the data [17]
  • • Maintaining and updating logs of who is accessing the data [18]
  • • Establishing a data trail feature to keep track who the data have been shared with and who has modified the data
  • • The signing of a data use agreement between third parties and patients to ensure the patient’s data are not exploited
  • • Ensuring the patient has the right to access his/her personal data and appeal to the authority in case any personal information about the patient is wrong
  • • Allowing the patient to file complaints and seek redressal in case of violation of data use agreements
  • • Allow the patient to direct healthcare providers and insurance companies to not divulge certain information

To ensure any privacy policy enforces the above points, implementation and administrative expertise is required. It is essential to include researchers and scholars from the security and healthcare field to ensure every scenario is considered. While the above privacy policy defines the major points to be enforced, it is important to remember that every country is different in terms of the population, the spending and purchasing power of the people, the economy and the literacy present. There can be no uniform privacy policy solution for all countries. The budget allocated to developing a healthcare privacy system also plays a major role.

< Prev   CONTENTS   Source   Next >