If specific personal data in the medical image data collected by a public agency can be regarded as non-personal data after being de-identified, the Personal Data Protection Law certainly does not apply to any subsequent provision of such data for use by external parties (Taiwan)

2018.9.4
Jenny Chen

The Ministry of Justice issued the Fa-Lu-10703512280 Circular of September 4, 2018 (hereinafter, the “Circular”), holding that if specific personal data in the medical image data collected by a public agency can be regarded as non-personal data after being de-identified, the Personal Data Protection Law certainly does not apply to any subsequent provision of such data for use by external parties.

The National Health Insurance Administration under the Ministry of Health and Welfare is currently planning and implementing the deployment of health insurance medical image warehouses and artificial intelligence applications as part of its participation in the Asia-Silicon Valley Development Plan promoted by the National Development Council.  This Circular was issued to address the question concerning the interpretation and application of the Personal Data Protection Law with respect to the planned deregulation of the provision of de-identified medical image data for use by external parties in the future.

Article 2, Subparagraphs 3 and 4 of the Personal Data Protection Law (hereinafter, the “Law”) provide: “The terms used herein denote the following meanings: …(3) Collection: To collect personal information in any form and way; (4) Processing: To record, input, store, compile, correct, duplicate, search, delete, output, connect or internally transmit information for the purpose of creating or using a personal information file.”

This Circular first pointed out that the act of de-identifying personal data should be regarded as “processing” within the meaning of Article 2, Subparagraph 4 of the Law.  Under the system and structure of the Law in Taiwan, the behavior of “collection” and “processing” are regulated with the same legal criteria, since the behavior of “collecting” personal data is mostly followed by that of “processing.”  Therefore, the Law does not specifically differentiate the behavioral criteria of the two.  In addition, since de-identified data should reach an extent where they can no longer directly or indirectly identify specific individuals, the processing and handling of de-identified personal data are not conducive to additional violation of the rights and interests of the individuals concerned.  Therefore, if the original collection of personal data complies with Article 15 and Paragraph 1 of Article 19 of the Law, the de-identification processing should be deemed to fall within the original specific collection purposes (rather than be incompatible with the original specific purposes) and may be engaged for the same lawful reasons as the original collection.

This Circular further pointed out that if any personal data in the possession of a public agency or non-public agency are de-identified through all kinds of technologies to an extent that the way they are presented can no longer directly or indirectly identify such specific individual, they are deemed non-personal data and are certainly not governed by the Law.  Therefore, the provision of de-identified personal data for open use no longer requires the written consent of the original data owners (see the conclusions reached in the minutes of the meeting in which the (draft) Personal Data De-identification Verification Standards were discussed in the Executive Yuan on August 18, 2015 as circulated by the Secretary General of the Executive Yuan via the Yuan-Tai-Ke-1040144764 Circular of September 17, 2015).

According to the final conclusion in the Circular, with respect to the exploration of the intended deregulated provision to external parties for use of special personal data in the medical image data as collected after de-identification, if the original behavior of collecting special personal data meets the proviso under Paragraph 1 of Article 6 of the Law, the de-identification “processing” should be deemed to fall within the scope of the original specific collection and may be engaged legally for the same lawful reasons as the original collection.  If the above-mentioned personal data which are retained are de-identified by using all kinds of technologies so that the way they are presented can no longer directly or indirectly identify such individuals, they are not considered personal data and their subsequent provision for use by external parties is certainly not governed by the Law.