Providing Employee Health Insurance: Implications Under the Data Protection Act

While Thai Labor Law does not explicitly require employers to provide medical insurance to their employees, many nonetheless take out policies as part of their incentive package, particularly for expat workers. If an employer does decide to provide health insurance, employees will be asked to disclose personal data, including any previous health issues they or their family members have been afflicted with as well as other information about their lifestyle habits. In addition, it is likely that employers and insurance brokers will be required to disclose information about an employee with each other to discuss details regarding their medical coverage.

With Thailand’s Personal Data Protection Act expected to be enacted on 27th May 2020, how will the new legislation handle the disclosure of personal data to third parties such as insurance providers? This article aims to briefly examine the possible implications of collecting data from employees and how different stakeholders should approach it.

How are the stakeholders classified by the Act?

The Personal Data Protection Act highlights two distinct stakeholders involved in the collection of personal data: data controllers and data processors. Data controllers are defined as a “person or juristic person that has the power and duty to make decisions regarding the collection, use, or disclosure or personal data,”[1] whereas data processors are persons or juristic persons “who operate in relation to the collection, use, or disclosure of personal data according to the orders given by or on behalf of a data controller.”[2] It is worth noting that the two subjects are not mutually exclusive and it is possible for data controllers to also be data processors if they collect or process personal data by themselves.

Having said this, employers and insurance brokers are therefore considered data controllers given that they have authority over the use of the employee’s data. Likewise, if they choose to collect the said data by themselves, they will likewise be considered data processors and will be subject to regulations governing them.

Collection and disclosure of employees’ personal data

It must be noted that, according to Section 22, “the collection of data shall be limited to the extent necessary in relation to the lawful purpose of the data controller.”[3] This means that information collected by employers and/or insurance brokers in relation to an employee’s medical history must only be limited to the purposes of evaluating what can be covered under the prospective policy. The Act also states under Section 24 that personal information must be obtained from the data subject themselves,[4] unless “it is necessary for the performance of a contract to which the data subject is a party,”[5] or if “it necessary for legitimate interests of the data controller.”[6] Therefore if the employee has signed an employment contract giving consent to the employer to disclose their information, or if they have agreed in writing to allow an insurance broker to discuss details about the employee’s health with their employer, the employer and insurance broker will be allowed to exchange information about the employee as long as it remains confidential between the two parties.

The Act also highlights provisions that give the data subject the right to request for their personal information to be deleted if “the personal data is no longer necessary in relation to the purposes of which it was collected.”[7] While the legislation does not list specific circumstances, it could be interpreted that if the employer or employee decides to terminate their policy with the insurance provider, then the latter must destroy the data upon the employee’s request. This may also be applicable if the employee terminates their employment with their employer.

Duties of data controllers

On top of data controllers such as employers and insurance providers needing to obtain consent from employees over their medical history, the Act states that they must also implement systems that ensure the integrity and security of the data they collect[8] – particularly when sending employee data to multiple places. This means that data processors must not only provide the right infrastructure to the ensure secure storage of data, they must also have the right security protocols that enable secure exchange of information between stakeholders. Moreover, in the event of a data breach, data controllers will be required to report the incident to the Office of the Personal Data Protection Committee within 72 hours of becoming aware of the breach[9] and investigate the extent of the damage done.

Sections 41 and 42 likewise state that data controllers and processors must designate at least one data protection officer who will be in charge of overseeing activities involved in securing employee data.[10] This includes regular and systematic monitoring of employee data and enacting proper processing of sensitive data.

How can organizations best prepare for this Act?

It is first and foremost important to review the organization’s data policies and ensure that they sufficiently meet the guidelines listed in the Act, particularly with regard to the storage of employee data and the transfer of information to third parties such as insurance agents and benefit providers. It is also worth noting that compliance with the upcoming regulation should be an organization-wide effort with the HR department and legal counsel playing a key role in the initiative.

Having said this, it is also crucial for employees to understand what the Act will mean for their personal data, particularly when disclosing them for purposes related to their insurance benefits. This means they must be informed of how their data will be used by the insurance provider and must be given assurance that only relevant stakeholders will have access to their information. It might also be prudent to review employment policies regarding the collection and disclosure of their personal data.

With regard to insurance providers, it is recommended that employers select reputable partners that have already enacted or are in the process of enacting data protection policies that comply with the upcoming legislation. Many insurance companies in Thailand, particularly international providers, already comply with the European Union’s GDPR (the framework of which is similar to that of Thailand’s Personal Data Protection Act); thus, it is likely that using these providers may mitigate the risk of non-compliance.

For more information about the upcoming Personal Data Protection Act, or if you require assistance reviewing your data policies, please feel free to contact Silk Legal at info@silklegal.com.

This article was written for the sole purpose of providing information about the upcoming legislation. Recommendations mentioned in the article should not be considered legal advice.

 

[1] Section 6 “Personal Data Protection Act B.E. 2562,” (27th May 2019), (available at https://thainetizen.org/wp-content/uploads/2019/11/thailand-personal-data-protection-act-2019-en.pdf).

[2] Ibid.

[3] Section 22 “Personal Data Protection Act B.E. 2562,” (27th May 2019), (available at https://thainetizen.org/wp-content/uploads/2019/11/thailand-personal-data-protection-act-2019-en.pdf).

[4] Section 25 “Personal Data Protection Act B.E. 2562,” (27th May 2019), (available at https://thainetizen.org/wp-content/uploads/2019/11/thailand-personal-data-protection-act-2019-en.pdf).

[5] Section 24 “Personal Data Protection Act B.E. 2562,” (27th May 2019), (available at https://thainetizen.org/wp-content/uploads/2019/11/thailand-personal-data-protection-act-2019-en.pdf).

[6] Ibid.

[7] Section 33 “Personal Data Protection Act B.E. 2562,” (27th May 2019), (available at https://thainetizen.org/wp-content/uploads/2019/11/thailand-personal-data-protection-act-2019-en.pdf).

[8] Section 37 “Personal Data Protection Act B.E. 2562,” (27th May 2019), (available at https://thainetizen.org/wp-content/uploads/2019/11/thailand-personal-data-protection-act-2019-en.pdf).

[9] Ibid.

[10] Section 41, Section 42 “Personal Data Protection Act B.E. 2562,” (27th May 2019), (available at https://thainetizen.org/wp-content/uploads/2019/11/thailand-personal-data-protection-act-2019-en.pdf).