Abstract In April 2017, the Japanese Parliament passed the so-called Next- Generation Medical Infrastructure Act [the Act]. Its aim was to create the scheme in which hospitals can provide Background of the Act: patients' data to governmentally accredited private companies skilled in data handling and data security. Enactment of Personal Data It will be operated on voluntary basis. Hospitals are free to take part Protection Legislation in 2003 and in the scheme. Patients of participating hospitals are given the written notice of it and offered the opportunity to opt out of it. Its Amendment in 2015 The data company will collect and pool patients’ data, consolidating the data of the same patient, and make anonymization. The anonymized data will be provided for a fee to pharmaceutical companies, research institutions and government agencies for research and development. 2 3 Summaries of the PDP Act 2015 Amendment to the PDP Act ・ Specification of the purpose of use in the processing of The amendment created a new category of "personal data personal data is required. requiring special care."[ § 2 (3)] ・ When personal data is collected, notification to the data subject or publication of the purpose of use is required. "Personal Data Requiring Special Care" is defined ・ ( Without the consent of the subject ) The use of personal data personal data that contains the data subject's race, creed, beyond the specified purpose of use is prohibited unless social status, medical history, criminal record, fact of having otherwise authorized by law. suffered injury by criminal acts, or other descriptions ・ ( Without the consent of the Subject ) The sharing of personal data with the third party is prohibited unless otherwise prescribed by cabinet order as requiring special care in authorized by law. processing lest the unfair discrimination, prejudice or other ・ The disclosure or correction request by the data subject must disadvantage will occur on the part of the data subject. be adequately accommodated. 1 4 5
2015 Amendment to the PDP Act Amended PDP Act § 17 (2) ・ Collecting "personal data requiring special care" is ・ In health and medical area, the Cabinet Order allowed only where the advance consent of the subject is implementing the 2015 Amendment added to "medical obtained, except in the following cases. history" set out in the act the following three categories of description. [ § 2] (i) cases allowed by legislation. ・ The presence of mental or physical disability. (ii) cases in which there is a need to protect a human life, ・ The results of health checkup or other medical tests. body or property, and when it is difficult to obtain a ・ That health consultation, medical care or prescription subject's consent. filling was provided to improve the subject's mental and (iii) cases in which there is a special need to enhance physical condition. public health or promote fostering healthy children, and All medical and health data is, in effect, characterized when it is difficult to obtain the subject’s consent. as "personal data requiring special care.". (iv) ***. (v) ***. 6 7 Amended PDP Act § 23 (1) Amended PDP Act § 2 (9) ・ Sharing with third parties of personal data is allowed ・ "Anonymized data" means the data relating to an only where the advance consent of the subject is individual that has been created by processing the obtained, except in the following cases. personal data to make it (1) neither individually (i) cases allowed by legislation. identifiable (2) nor restorable to any personal data. (ii) cases in which there is a need to protect a human life, body or property, and when it is difficult to obtain a subject's consent. (iii) cases in which there is a special need to enhance public health or promote fostering healthy children, and when it is difficult to obtain the subject’s consent. (iv) ***. 2 8 9
Definition of Entities and Agent Medical Data Entity using medical data database (e.g. Processing Entity hospital, clinic, school and employer ) [Processing Entity] Summary of the Next-Generation Governmentally accredited private entity that Accredited Medical Medical Infrastructure Act creates anonymized medical data stored in Data Anonymizing systematically organized database by collating Agent [hereinafter referred to "the Act"] and anonymizing medical data to promote [Anonymizing Agent] R&D in the medical field Anonymized Entity that utilize database of anonymized Medical Database medical data (e.g. pharmaceutical company, User Entity research institution, and administrative body) [User Entity] 10 11 ③ Notification ① Application NATIONAL Definition of Medical Data under the Act for Accreditation Anonymizing Agent ⑥ Provision of GOVERN ‐ Processing Entity Medical Data ② Granting of ⑦Creation of Anony- ( Hospital /clinic , MENT ・"Medical data" is defined under the Act to mean the data accreditation mized Medical Data school , employer ) Prime relating to a [either living or dead] individual that contains the ⑧ Provision of Minister's following descriptions about mental and physical condition of Anonymized Office Medical Data the individual. Processing Entity User Entity (i) the medical history; ( Hospital /clinic , (Drug company, research (ii) the presence of mental or physical disability; school , employer ) institution & administrative body) (iii) the results of health checkup or other medical tests; ⑨R&D in the medical field ⑤ P ublic ⑤’ Refusal = (iv) that health consultation, medical care or prescription filling ③ Notification Announcemen Opting Out ⑩ Return of results was provided to improve the subject's mental and physical t condition. PATIENTS ④ Public Announcement (STUDENTS/ EMPLOYEES) GENERAL PUBLIC 3 12 13
Prime Minister's Office Medical Data Processing Entities (e.g. Hospitals) The Act provides that Prime Minister, Minister of Education and Science, Minister of of Health, Labor and Welfare and Minister of Economy, Trade and Industry are the ministers in Medical Data Processing Entities such as hospitals and clinics may charge of the Act. provide Accredited Medical Data Anonymizing Agent with medical data of the In fact, the Office of Health Care Strategies at the Prime Minister's Office seems to be the patients for collation, linkage and anonymization, provided that: leading authority supervising the administration of the Act. 1. They notify the patients and the supervising authority of their intention to When a prospective Anonymizing Agent would like to start its operation provide the Anonymizing Agent with their patients' medical data. [③] under the Act, it must first apply for and obtain the accreditation from the 2. The patients do not express their refusal (opting-out). [⑤’] supervising authority.[ ①② ] The accre-ditation will be granted only when the 3. They make public announcement by using appropriate means (such as Internet applicant shows that: website) regarding: (1) it meets the standard set by the regulation for judging the ability to (1) that they participate in the data providing scheme; properly create and provide anonymized medical data by collecting and (2) contents of the medical data to be provided; collating data for medical R&D. (3) method for providing data; (2) appropriate security measures are in place to prevent the leakage, loss or damage of data. (4) that the provision of identified medical data will be stopped upon receiving the request by the individual or her/his surviving family members; (3) it has the ability to properly administer the security measures prescribed (5) method for accepting the request. [⑤] in (2). [So far, no entity has been granted the accreditation.] 14 15 Prime Minister's Office Patients Patients of medical institutions are given the leaflet letting When the Processing Entity submits to the supervising them to know that, unless they express their objection, their authority the notification of its intention to provide the identified medical data will be shared with the Anonymizing Anonymizing Agent with its patients' medical data and other Agent that will collate and anonymize data for the use by information concerning the provision of data [ ③ ], the User Entities such as pharmaceutical company, research authority must publish the contents of the notification by the institution or government agency. [ ③ ] appropriate way including the use of the Internet. [④] Even after the patient's data is provided to the When the authority make the publication, the Processing Anonymizing Agent, the patient can request to delete her/his Entity must also publish its intention and other information data or the data derived from it. The Anonymizing Agent is concerning the provision of patients' data to the Anonymizing required to delete the data as far as practicable. Agent. [ ⑤ ] 4 16 17
Recommend
More recommend