PDPC Decision on Institute of Mental Health Data Consent

PERSONAL DATA PROTECTION COMMISSION [2025] SGPDPC 1 Case No. DP-2404-C2257 In the matter of an investigation under section 50(1) of the Personal Data Protection Act 2012 And Institute of Mental Health … Organisation DECISION Data Protection – Consent obligation – Implied consent – Use of personal data to identify and approach individual for participation in a study

Institute of Mental Health [2025] SGPDPC 1 Wong Huiwen Denise, Deputy Commissioner — Case No. DP-2404-C2257 21 May 2025 Introduction 1. The Complainant lodged a complaint against the Institute of Mental Health (the “Organisation”) with the Personal Data Protection Commission (the “Commission”) on 5 April 2024 for using his personal data without consent. The Commission commenced investigations to determine if the Organisation had complied with the Personal Data Protection Act 2012 (the “PDPA”). The Commission had conducted its investigations and issued an initial Decision on 15 November 2024. However, the Complainant subsequently brought certain new material facts to the Commission’s attention. These facts were not part of the Complainant’s evidence prior to the issuance of the initial Decision. Nevertheless, the Commission conducted further investigations and amended the Decision to clarify the relevant factual background and the basis of the Commission’s decision. Facts 2. On 20 March 2024, the Complainant was waiting to see a doctor at the waiting area of the Organisation’s clinic. A research officer (“RO”) from the Organisation approached the Complainant and identified the Complainant by his full name. The RO sought the Complainant’s consent to participate in a study relating to certain medical conditions affecting outpatients at tertiary psychiatric hospitals (“Study”). The Complainant lodged a complaint with the Organisation that day, seeking an

explanation as to why the doctor had disclosed his name and health condition and/or history to the RO, without his consent (the “Incident”). 3. The Organisation replied to the Complainant on 12 April 2024, explaining that the RO had approached the Complainant’s attending doctor on the day of his appointment for the names of suitable participants in the Study and their appointment times. The Organisation assured the Complainant that the attending doctor had only provided the names of suitable participants to the RO and the RO was not provided with other personal data such as the participants’ medical information (i.e. diagnosis or treatment). 4. As part of our investigations, the Commission interviewed both the attending doctor and the RO. The attending doctor explained that the RO had approached him for participants in the Study and the RO was looking for patients of a particular age group and medical profile. The attending doctor then provided the names of suitable participants and their appointment times at the clinic to the RO. Armed with the names of the potential participants in the Study and their appointment times, the RO then searched for these potential participants’ queue numbers in the Organisation’s database to locate their whereabouts in the Organisation. The RO proceeded to the waiting area and identified the Complainant after spotting his queue number on his hospital slip, approached the Complainant to enquire whether he might be interested in joining the Study, and was rebuffed. 5. Investigations established that at the time of the Incident, the Organisation had placed a notification prominently at the manned registration counters, payment and pharmacy counters in the clinic, which are high traffic areas and therefore highly likely

to be visible to all patients visiting the clinic. The notification states amongst other things, that “We may use your personal data to invite you to participate in suitable care programmes or shortlist you for participation in relevant research studies” (the “Notification”). The Organisation had placed these Notifications in the clinic since 2014. In this regard, the Commission notes that the Complainant has visited the same clinic since 2013 and was visiting the clinic at regular intervals immediately prior to the date of the Incident. Issues for Determination 6. First, it is important to clarify at the outset that while the Complainant was aggrieved by the disclosure of his health condition and history and other personal data by his attending doctor to the RO, this does not constitute a disclosure of personal data under the PDPA. Section 4(1)(b) of the PDPA provides that the data protection obligations apply to the organisation handling the data and not on individual employees acting in the course of their employment. Since it is not in dispute that both the attending doctor and the RO are employees of the Organisation, there was no disclosure of the Complainant’s personal data by the Organisation to third parties. 7. The Commission wishes to point out that public health care providers in Singapore routinely provide care or carry out other care-related activities in a team setting. It is therefore not possible for a patient to expect that his/her medical information would not be shared or disclosed in some form to other members of the clinical team, or shared, disclosed to or deduced by other employees in non-clinical roles. Having said that, the Organisation also needs to ensure that it only uses an individual’s personal data after having obtained the necessary consent and that its

employees’ access to an individual’s medical information is strictly confined to a need- to-know basis. 8. Hence, for the purpose of this assessment, the Commission is concerned ultimately with the Organisation’s use of the Complainant’s personal data to identify and approach him as a potential candidate for participation in the Study (the “Study Recruitment Purpose”). 9. Second, with respect to the personal data affected, the Commission disagrees with the Organisation’s response that the Organisation had only used the names of potential participants that may be recruited for the Study and that no other personal data, such as the medical information and age of potential participants had been used. In the Commission’s view, the Organisation would only be able to approach and recruit potential participants for the Study after assessing that these potential participants are of a particular age group, suffer or suffered from a medical condition related to the Study, and fit the parameters of the Study. Deputy Commissioner’s Decision 10. The Commission is of the view that the following issue arises for determination – Whether the Organisation obtained the Complainant’s consent or deemed consent by notification before using his personal data for the Study Recruitment Purpose.

Consent Obligation 11. Section 13(a) of the PDPA provides that an organisation must not use an individual’s personal data unless the individual has given or is deemed to have given his / her consent (the “Consent Obligation”). Section 14(1) of the PDPA states that an individual has not given consent unless the individual has been notified of the purposes for which his personal data will be collected, used or disclosed and the individual has provided his consent for those purposes. 12. The PDPA does not specify any particular manner in which consent should be obtained. As stated in [12.4-12.6] of the Commission’s Advisory Guidelines on Key Concepts in the PDPA, consent can be obtained in several ways: “Consent can be obtained in several ways. Consent that is obtained in writing or recorded in a manner that is accessible is referred to in these Guidelines as ‘express consent’. Such consent provides the clearest indication that the individual has consented to notified purposes of the collection, use or disclosure of his personal data. In situations where it may be impractical for the organisation to obtain express consent in writing, it may choose to obtain verbal consent. As good practice, organisations can consider adopting the following practices in cases when consent is obtained verbally, to prove that verbal consent had been given, in the event of disputes: https://www.pdpc.gov.sg/guidelines-and-consultation/2020/03/advisory-guidelines-on-key-concepts-in-the-personal-data-protection-act

1. Confirm the consent in writing with the individual (which may be in electronic form or other form of documentary evidence); or b) Where appropriate in the circumstances, make a written note (which may be in electronic form or other form of documentary evidence) of the fact that an individual had provided verbal consent. … Depending on the facts in some cases, the Commission may consider that consent is inferred or implied from the circumstances or the conduct of the individual in question. This is a form of consent where the individual does, in fact, consent to the collection, use and disclosure of his personal data (as the case may be) by his conduct, although he has not expressly stated his consent in written or verbal form.” (emphasis in bold added) Implied Consent 13. Since the Complainant did not provide express consent for the use of his personal data for the Study Recruitment Purpose, the Commission considered whether the Organisation had obtained his implied consent for the same purpose. Whether implied consent has been given is ultimately determined by the circumstances and conduct of the parties involved. In Re German European School Singapore [2019] SGPDPC 8 (“GESS”), the parents of a student at GESS (AB) challenged the applicability of GESS’ bye-laws on the basis that express consent was not given. PDPC opined that: “… As the school’s bye-laws were made available to the parents, they must be taken to have agreed to enroll their children in the school on that basis. This is certain the case in the present matter as AB has been enrolled in GESS for more than 10 years. I find that the parents’ decision to enrol[l] him, and to continue having him enrolled in the school for a substantial period, amounts to an acceptance of the school’s bye-laws… This constitutes implied consent for the purposes of the PDPA and, as it was validly given by AB’s parents, amounts to consent by AB pursuant to section 14(4) of the PDPA.” (emphasis in bold added) 14. In the Commission’s view, by displaying the Notification prominently on the manned registration counters since 2014, and on payment and pharmacy counters in the clinic prior to the date of the Incident, the Organisation has taken reasonable steps to bring the Notification to the attention of its patients including the Complainant. The Complainant stated that he had proceeded to the self-registration kiosks to register for his appointment at the Organisation’s clinic and that the self-registration kiosks did not display the Notification. In this regard, the Commission notes that the manned registration counters (which are right at the entrance of the clinic and displayed the Notification) were in very close proximity to the self-registration kiosks. The Organisation’s display of the Notification at the manned registration counters right at

the entrance of the clinic is consistent with the Commission’s Guide to Notification which states that for physical displays, “Notice should be prominently displayed prior to and during the collection, use and disclosure of personal data.” 15. Further, the Complainant had ample reasonable opportunities to see the Notification at some point during his visits to the clinic from 2014 when the Organisation first started displaying the Notification on the manned registration counters of the clinic, to the date of the Incident on 20 March 2024. 16. Having been satisfied that the Complainant was notified of the Study Recruitment Purpose, the Commission is also of the view that the Complainant had provided implied consent for the use of his personal data for the Study Recruitment Purpose: (a) Despite being afforded reasonable opportunities to view the Notification from 2014 to 2024, the Complainant continued to visit the Organisation’s clinic and never objected to the use of his personal data for the Study Recruitment Purpose. Further, the Complainant continued to provide his personal data to the Organisation through the provision of his name, age and medical information (which naturally evolved over that time). (b) On the date of the Incident, the Complainant proceeded to wait for his appointment after registering as a patient at the Organisation’s clinic. https://pdpc.gov.sg/help-and-resrouces/2019/09/guide-to-notification

1. On this basis, the Commission is of the view that the Complainant had provided his implied consent to the Organisation to use his personal data for the Study Recruitment Purpose. Accordingly, the Organisation was not in breach of the Consent Obligation. Deemed consent by notification 18. The Organisation in its submissions to the Commission had argued that it had obtained the Complainant’s deemed consent by notification to use his personal data for the Study Recruitment Purpose. Whilst it is not necessary for the Commission to assess this submission (as the Complainant had provided implied consent), it is nevertheless beneficial to assess the Organisation’s submission on this point. 19. Section 15A of the PDPA provides that an individual is deemed to have consented to the collection, use or disclosure of personal data for a purpose that he had been notified of, and he has not notified the organisation that he does not consent to the proposed collection, use or disclosure of the personal data. 20. As stated in [12.23] of our Advisory Guidelines on Key Concepts in the PDPA, deemed consent by notification is particularly useful where an organisation wishes to use existing data for secondary purposes that are different from the primary purposes for which it had originally collected the personal data for, and it is unable to rely on any of the exceptions to consent for the intended secondary use. In the present circumstances, the Organisation had initially collected the Complainant’s personal data for the purpose of his medical treatment, but was now seeking to use the
   Complainant’s personal data for a secondary purpose, i.e. the Study Recruitment Purpose. 21. To rely on section 15A of the PDPA, an organisation needs to do the following before collecting, using or disclosing any personal data of an individual: (a) First, conduct an assessment to determine if the proposed collection, use or disclosure may have an adverse effect on the individual and take the necessary measures to eliminate or mitigate any adverse effects. The organisation must retain a copy of the assessment through the period that it collects, uses or discloses personal data based on deemed consent by notification, and provide the Commission with a copy of the assessment upon request (b) Second, take reasonable steps to bring to the individual’s attention its intention to collect, use or disclose the personal data and the purpose for which the personal data will be collected, use or disclosed. (c) Finally, take reasonable steps to alert the individual to the means and time period within which the individual may notify the organisation that he does not consent to such use of his personal data. The individual must be provided with a reasonable period to opt out before the organisation collects, uses or discloses his personal data. [12.25] of Advisory Guideline on Key Concepts in the PDPA

2. In the Commission’s view, the Organisation has satisfied the first requirement as the proposed Study was reviewed and approved by the Domain Specific Review Board, an independent committee that reviews and approves research studies to ensure compliance with relevant laws and regulations. The prominent display of the Notification on all the clinic counters would also satisfy its second obligation to take reasonable steps to bring to the individual’s attention its intention to collect, use or disclose the personal data for the Study Recruitment Purpose. 23. However, while the Organisation may have satisfied the first and second requirements as set out above, it did not satisfy the third requirement. In the course of our investigations, the Commission established that the Organisation did not take any steps to bring to the Complainant’s attention the manner (or time period) by which the individual may notify the Organisation that he does not consent to the use of his personal data for the Study Recruitment Purpose. 24. The Organisation informed the Commission that the contact details of its Data Protection Officer (DPO) can be found on its website and that patients who have concerns or queries about IMH’s personal data protection policies and practices may contact its DPO. In addition, patients can speak directly to its counter staff or Quality Service Manager and request not to be shortlisted and invited to participate in any research studies. 25. While this may no doubt be true, the measures outlined by the Organisation are insufficient as they place the onus on the individual to navigate the Organisation’s bureaucracy to find out how he may opt out. It remains the case that the Organisation did not take reasonable steps to alert and bring to the Complainant’s attention that he
   may notify the Organisation of his refusal to give consent to the Organisation’s proposed collection, use or disclosure of his personal data to be invited to participate in suitable care programmes or relevant research studies, and the manner (or time period) by which he could do so. 26. Accordingly, the Commission is of the view that the Organisation cannot rely on deemed consent by notification to justify its use of the complainant’s medical information and age for the Study Recruitment Purpose. Conclusion 27. While the Commission finds the Organisation to be in compliance with the Consent Obligation on the basis of that it had obtained the Complainant’s implied consent before using his personal data for the Study Recruitment Purpose, the Commission recognises that as a matter of best practice, the Organisation could have done better to ensure that it obtained the express consent of individuals concerned prior to collecting, using or disclosing their personal data, particularly when this involved an individual’s medical information. 28. The Commission notes that the Organisation has since voluntarily reviewed its processes on its own accord and issued a revised guideline on the recruitment of subjects for research studies and clinical trials. Moving forward, the clinical team will first inform potential participants about the research recruitment, for which the patient may be a suitable candidate, either verbally or through research collateral material produced with the intention of recruiting patients or the general public to participate in clinical research, prior to direct contact by a member of the research team.

3. After the consultation with the attending care team, the RO would then proceed to approach potential participants to seek their express consent to participate in the research. For clarity, these changes do not and will not change the current process whereby a RO may approach patients in clinic waiting areas to participate in surveys or research studies where no patient medical records are used or disclosed. 30. The Commission is satisfied with these changes implemented by the Organisation as the Organisation will henceforth obtain and rely on the express rather than implied consent of individuals before using their medical information to approach and recruit potential participants for research studies. 31. While this may increase the Organisation’s administrative load, the Organisation would also be able to rely on deemed consent by notification under section 15A of the PDPA in future, so long as it tweaks its Notification to alert individuals of the means and duration by which they may give notice to the Organisation of their refusal to give consent to the Organisation’s proposed collection, use or disclosure of their personal data for recruitment in suitable care programmes or relevant research studies. WONG HUIWEN DENISE DEPUTY COMMISSIONER FOR PERSONAL DATA PROTECTION