ISSUES IN THE ENFORCEMENT OF PERSONAL DATA PROTECTION LAWS IN PUBLIC HOSPITALS

         At present, technology plays a significant role in the collection of personal data and the operations of government agencies, state enterprises, and private organizations. This is particularly evident in public hospitals, which handle personal health data of service recipients, a category of data protected under Section 7 of the National Health Act B.E. 2550 (2007). Previously, the principles governing personal data protection were subject to Section 24 of the Official Information Act B.E. 2540 (1997). Until Thailand recognized the right to privacy in personal data — a right acknowledged under international human rights law, particularly the Universal Declaration of Human Rights (UDHR) and the International Covenant on Civil and Political Rights (ICCPR), and further enshrined as a fundamental human right in the Constitution of the Kingdom of Thailand B.E. 2560 (2017)— the country enacted the Personal Data Protection Act B.E. 2562 (2019).This law aims to safeguard personal data rights, which encompass personal health data, as such data pertains to individuals’ medical and public health services as well as their health conditions. Given its sensitive nature, personal health data requires strict protection. Consequently, public hospitals, as state-supervised institutions handling personal data, must comply with the Personal Data Protection Act B.E. 2562 (2019).

          Nonetheless, various issues have arisen in the enforcement of the Personal Data Protection Act B.E. 2562 (2019) in public hospitals. These issues include: 1) the absence of clear definitions for “sensitive personal data” and “health data,” leading to difficulties in legal interpretation; 2) the lack of established criteria for appointing Data Protection Officers; 3) ambiguity regarding the authority and responsibilities of Data Protection Officers in assessing risks associated with data processing; and 4) deficiencies in personal data breach notification requirements, as the law does not mandate the recording of details related to data breaches, thereby complicating the verification process. These issues directly impact the operations of public hospitals. Without stringent legal measures, undesirable incidents involving patients' personal data could arise. Therefore, amendments to the Personal Data Protection Act B.E. 2562 (2019) are warranted to:  1) clearly define the terms “sensitive personal data” and “health data”; 2) establish uniform qualifications for Data Protection Officers; 3) assign Data Protection Officers the duty to assess risk impacts before processing data, ensuring effective management and planning in personal data protection processes; and 4) require the documentation of personal data breaches in a verifiable manner to facilitate the collection of evidence related to breaches and the legal compliance audit process.