BIG DATA AND THE DETERIORATION OF CONSENT PRINCIPLE TO PROTECT HEALTH DATA PRIVACY IN MALAYSIA

Nazura Abdul Manap; Mohd Rizal Ab Rahman; Siti Nur Farah Atiqah Salleh

doi:10.33102/mjsl.vol12no3.572

Authors

Nazura Abdul Manap Faculty of Law, Universiti Kebangsaan Malaysia, 43600 Bangi, Selangor, Malaysia https://orcid.org/0000-0002-5718-845X
Mohd Rizal Ab Rahman Faculty of Law, Universiti Kebangsaan Malaysia, 43600 Bangi, Selangor, Malaysia https://orcid.org/0000-0003-1461-6060
Siti Nur Farah Atiqah Salleh Faculty of Law, Universiti Kebangsaan Malaysia, 43600 Bangi, Selangor, Malaysia https://orcid.org/0000-0001-5886-0810

DOI:

https://doi.org/10.33102/mjsl.vol12no3.572

Keywords:

Consent, big data, health data privacy, GDPR, Personal Data Protection Act 2010

Abstract

It is part of the legal requirement for an individual to be conferred the right to consent when it involves the processing of their health data. However, with the advent of big data in healthcare, consent principle as a lawful basis for data processing and as a tool for data privacy in healthcare is being challenged. In this article, big data refers to the processing and analysis of large data sets to find new correlations—for example, for decision-making purposes and improving health delivery of health bodies. While big data may be beneficial, it also imposes certain legal complications regarding the sufficiency of the Malaysian Personal Data Protection Act 2010 in implementing consent. This article aims to analyse consent principle under the PDPA 2010 as a tool for health data privacy and its sufficiency in big data. We adopt a doctrinal qualitative analysis as the methodology in this paper. It is found that the consent principle under the Act must be revisited because it is lacking in its suitability and functions in dealing with big data and the practical demonstration of explicit consent in protecting privacy. Therefore, it is suggested that Malaysia could look to the European’s Union General Data Protection Regulation as a potential model for enhancing its consent standards, with careful consideration of the existing constraints under the PDPA.

Downloads

Download data is not yet available.

References

Abdul Aziz, M. F., & Mohd Yusof, A. N. (2019). Can dynamic consent facilitate the protection of biomedical big data in biobanking in Malaysia? Asian Bioethics Review, 11, 209–222. DOI: https://doi.org/10.1007/s41649-019-00086-2

Ahlin, J. (2017). Personal autonomy and informed consent: Conceptual and normative analyses [Doctoral dissertation, KTH Royal Institute of Technology].

Andreotta, A. J., Kirkham, N., & Rizzi, M. (2022). AI, big data, and the future of consent. AI & Society, 37, 1715–1728. DOI: https://doi.org/10.1007/s00146-021-01262-5

Azmi, N. A., Mohd Noor, N., Muhd Shukri, M. I., Mahmud, A., & Abdul Manaf, R. (2022). The role of big data analytics in digital health for COVID-19 prevention and control in Asia. Malaysian Journal of Medicine and Health Sciences, 18(4), 173–181. DOI: https://doi.org/10.47836//mjmhs18.4.24

Batumalai, K. (2020, June 16). "Central contact tracing app may threaten data protection, SELangkah creator says". CodeBlue. https://codeblue.galencentre.org/2020/07/16/central-contact-tracing-app-may-threaten-data-protection-selangkah-creator-says/

Brazier, M., Cave, E., & Heywood, R. (2023). Capacity, consent and compulsion. In Medicine, patients and the law. Manchester University Press. DOI: https://doi.org/10.7765/9781526157188.00017

Cate, F. H., & Mayer-Schoberger, V. (2013). Notice and consent in a world of big data. International Data Privacy Law, 3(2), 67–73. DOI: https://doi.org/10.1093/idpl/ipt005

Cate, F. H., Kune, C., Svantesson, D. J. B., Lynskey, O., & Millard, C. (2017). Machine learning with personal data: Is data protection law smart enough to meet the challenge? International Data Privacy Law, 7(1), 1–2. DOI: https://doi.org/10.1093/idpl/ipx003

Chen, M., Mao, S., & Liu, Y. (2014). Big data: A survey. Mobile Networks and Applications, 19, 171–209. DOI: https://doi.org/10.1007/s11036-013-0489-0

Cieh, E. L. Y., & Ismail, N. (Eds.). (2013). Beyond data protection: Strategic case studies and practical guidance. Springer.

Cohen, I. G., Lynch, H. F., Vayena, E., & Gasser, U. (Eds.). (2018). Big data, health law, and bioethics. Cambridge University Press. DOI: https://doi.org/10.1017/9781108147972

Cormack, A. N. (2016). Downstream consent: A better legal framework for big data. Winchester University Press. DOI: https://doi.org/10.21039/irpandp.v1i1.9

Custers, B., Dechesne, F., Pieters, W., Schermer, B., & Van Der Hof, S. (2018). The Routledge handbook of the ethics of consent. Routledge.

Dash, S., Kumar Shakyawar, S., Sharma, M., & Kaushik, S. (2019). Big data in healthcare: Management, analysis and future prospects. Journal of Big Data, 6(54), 1–25. https://doi.org/10.1186/s40537-019-0217-0 DOI: https://doi.org/10.1186/s40537-019-0217-0

Dhali, M., Hassan, S., Zulhuda, S., & Ismail, S. F. (2022). Artificial intelligence in health care: Data protection concerns in Malaysia. International Data Privacy Law, 12(2), 143–161. DOI: https://doi.org/10.1093/idpl/ipac005

Directive 95/46/EC of the European Parliament and of the Council, Data Protection Directive 31, Pub. L. No. 1.281 (1995). https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:31995L0046&from=NL

Dove, E. S., & Chen, J. (2020a). Should consent for data processing be privileged in health research? A comparative legal analysis. International Data Privacy Law, 10(2), 117–131. DOI: https://doi.org/10.1093/idpl/ipz023

Dove, E. S., & Chen, J. (2020b). To what extent does the EU General Data Protection Regulation (GDPR) apply to citizen scientist-led health research with mobile devices? The Journal of Law, Medicine & Ethics, 48(1), 187–195. DOI: https://doi.org/10.1177/1073110520917046

Faden, R. R., & Beauchamp, T. L. (1986). A history and theory of informed consent. Oxford University Press.

Froomkin, A. M. (2019). Big data: Destroyer of informed consent. Yale Journal of Law and Technology, 21(3), 27–54.

Hallinan, D. (2020). Broad consent under the GDPR: An optimistic perspective on a bright future. Life Sciences, Society and Policy, 1, 1–12. DOI: https://doi.org/10.1186/s40504-019-0096-3

Institute for Democracy and Economic Affairs. (2022, April 22). "Ideas: MySejahtera episode poses questions about data privacy". The Edge. https://theedgemalaysia.com/article/ideas-mysejahtera-episode-poses-questions-about-data-privacy

Ioannidis, J. P. A. (2013). Informed consent, big data, and the oxymoron of research that is not research. The American Journal of Bioethics, 13(4), 40–42. DOI: https://doi.org/10.1080/15265161.2013.768864

Jahn Kassim, P. N. (2019). Persetujuan kepada rawatan. Bengkel Undang-Undang Perubatan 2019.

Kaye, J., & Prictor, M. (2021). The Cambridge handbook of health research regulation. Cambridge University Press.

Kaye, J., Whitley, E. A., Kanellopoulou, N., Creese, S., & Hughes, K. J. (2011). Dynamic consent: A solution to a perennial problem? BMJ, 343. https://doi.org/10.1136/bmj.d6900 DOI: https://doi.org/10.1136/bmj.d6900

Lee Ewe Poh v. Dr Lim Teik Man & Anor (2011) 1 MLJ 835.

Mostert, M., Bredenoord, A. L., van der Sloot, B., & van Delden, J. J. M. (2017). From privacy to data protection in the EU: Implications for big data health research. European Journal of Health Law, 24, 1–13. DOI: https://doi.org/10.1163/15718093-12460346

Munir, A. B., Mohd Yasin, S. H., & Karim, M. E. (2012). Malaysia’s Personal Data Protection Act: Is it too little? In Data protection law in Asia (pp. 181–202). Sweet & Maxwell.

Munir, A. B., Yasin, S. H., & Karim, M. E. K. (2014). Data protection law in Asia. Sweet & Maxwell.

O’Connor, Y., Rowan, W., Lynch, L., & Heavin, C. (2017). Privacy by design: Informed consent and Internet of Things for smart health. Procedia Computer Science, 113, 653–658. DOI: https://doi.org/10.1016/j.procs.2017.08.329

OECD. (2015, October). "Health data governance: Privacy, monitoring and research – Policy brief". OECD. https://www.oecd.org/health/health-systems/Health-Data-Governance-Policy-Brief.pdf

Pointon, L. D., & Phuoc, J. C. (2012). Personal data protection cases and commentary with applied Syari’ah principles. CLJ Publication.

Price II, W. N., & Cohen, I. G. (2019). Privacy in the age of medical big data. Nature Medicine, 25(1), 37–43. DOI: https://doi.org/10.1038/s41591-018-0272-7

Prictor, M., Lewis, M. A., Newson, A. J., Haas, M., Baba, S., Kim, H., Kokado, M., Minari, J., Molnár-Gábor, F., Yamamoto, B., Kaye, J., & Teare, H. J. A. (2019). Dynamic consent: An evaluation and reporting framework. Journal of Empirical Research on Human Research Ethics, 15(3), 1–12. DOI: https://doi.org/10.1177/1556264619887073

Rothstein, M. A., & Shoben, A. B. (2013). Does consent bias research? The American Journal of Bioethics, 13(4), 27–37. DOI: https://doi.org/10.1080/15265161.2013.767955

San, T. P. (2020). Predictions from data analytics: Does Malaysian data protection law apply? Information & Communications Technology Law, 29(3), 291–307. DOI: https://doi.org/10.1080/13600834.2020.1759276

Terry, N. P. (2015). Big data proxies and health privacy exceptionalism. Health Matrix: The Journal of Law and Medicine, 24(1), 98–100.

Tharini, R., & Low, J. (2021). Patient autonomy, consent, and capacity of minors. In R. Tharini & J. Low (Eds.), Medical law and ethics in Malaysia (pp. 229–245). Lexis Nexis.

Torra, V., & Navarro-Arribas, G. (2017). Big data privacy and anonymization. In A. D. W. S. F.-H. L. F. C. R. Lehman (Ed.), IFIP advances in information and communication technology (pp. 15–26). Springer. DOI: https://doi.org/10.1007/978-3-319-55783-0_2

Tzanou, M. (2021). Health data privacy under the GDPR: Big data challenges and regulatory responses. Routledge. DOI: https://doi.org/10.4324/9780429022241

Vayena, E., & Blasimme, A. (2018). Health research with big data: Time for systemic oversight. The Journal of Law, Medicine & Ethics, 46, 119–129. DOI: https://doi.org/10.1177/1073110518766026

Vayena, E., & Madoff, L. (2019). Navigating the ethics of big data in public health. Public Health Ethics. Oxford University Press. DOI: https://doi.org/10.1093/oxfordhb/9780190245191.013.31

Vayena, E., Gasser, U., Wood, A., O’Brien, D. R., & Altman, M. (2016). Elements of a new ethical framework for big data research. Washington and Lee Law Review, 72(3), 420–441.

Walker, T. (2018). Consent and autonomy. In The Routledge handbook of the ethics of consent (pp. 131–139). Routledge. DOI: https://doi.org/10.4324/9781351028264-13

Walters, R., Trakman, L., & Zeller, B. (2019). Data protection law: A comparative analysis of Asia-Pacific and European approaches. Springer. DOI: https://doi.org/10.1007/978-981-13-8110-2

Working Party 259. (2016). Guidelines 05/2020 on consent under Regulation 2016/679 (pp. 1–33). European Data Protection Board.

Yuan, B., & Li, J. (2019). The policy effect of the General Data Protection Regulation (GDPR) on the digital public health sector in the European Union: An empirical investigation. International Journal of Environmental Research and Public Health. 16(6), 1070. https://doi.org/10.3390/ijerph16061070 DOI: https://doi.org/10.3390/ijerph16061070

Zenkera, S., Strechb, D., Ihrigc, K., Müllerf, G., Schickhardt, C., Schmidt, G., Speer, R., Winkler, E., von Kielmansegg, S. G., Drepper, J., & Jahnse, R. (2022). Data protection-compliant broad consent for secondary use of healthcare data and human biosamples for (bio)medical research: Towards a new German national standard. Journal of Biomedical Informatics, 131, 1–8. DOI: https://doi.org/10.1016/j.jbi.2022.104096