Artist : Mr. Chau-yih Yu
On 12 August 2022, the Constitutional Court issued judgment No. 13, declaring the National Health Insurance Administration’s (NHIA’s) transformation of medical records via de-identification into government data for secondary use was unconstitutional – protection of such information is provided for in articles 79 and 80 of the National Health Insurance Act.
The Taiwan National Health Insurance system has a global reputation for ensuring that foreign residents, as well as nationals, receive high quality medical care at the lowest possible insurance premiums. In the late 1990s, the NHIA established the National Health Insurance research database (NHIRD), derived from Taiwan’s mandatory National Health Insurance programme, which deals with medical records. The National Health Research Institute (NHRI) has maintained it since. The NHIRD is commonly used for various research activities, such as biomedical and public health research. However, secondary use of healthcare data raised legitimate privacy concerns, specifically when the NHIA denied that:
– data subjects have the right to delete their personal data from the database; and
– data subjects could request for their personal data to not be used.
Consequently, human rights advocates brought lawsuits against the NHRI and the NHIA. The disputes went all the way up to the Supreme Administration Court, and the plaintiffs eventually filed a claim with the Constitutional Court in order to render void article 6.1.4 of the Personal Data Protection Act (PDPA). This article states that:
Data pertaining to a natural person’s medical records, healthcare, genetics, and physical examination shall not be collected, processed or used unless it is necessary for statistics gathering or academic research by a government agency or an academic institution for the purpose of healthcare or public health, provided that such data, as processed by the data provider or as disclosed by the data collector, may not lead to the identification of a specific data subject.
The plaintiffs also petitioned to outlaw articles 79 and 80 of the National Health Insurance Act, which government agencies used to defend arguments that the data protection rules would not apply:
– for secondary use of medical records after de-identification; and
– if government data is made available to relevant third parties for further research that would increase public interest.
The Constitutional Court partially upheld the plaintiff’s claims. In its judgment, the Court held that although article 6.1.4 of the PDPA is clear enough, with a combined examination of the PDPA and the National Health Insurance Act, it becomes obvious the National Health Insurance Act lacks an adequate mechanism for monitoring third-party use of the de-identification database and ensuring that all the mandatory protections are in place, which includes detailed provisions on opt-out rights of data subjects.
The Court has mandated government to rectify this loophole or supplement the legislation with new enactments by 22 August 2025.