Personal Data Protection Notice


Background to National Eye Database Malaysia (NED)
  • The NED is an ethically approved clinical quality registry containing patient data collected for the express purpose of contributing to improved patient treatments and outcomes.
  • The NED is an independent non profitable organization operated under National Heart Association of Malaysia in collaboration with Ministry of Health Malaysia. The aim is to improve patient care.
  • The collection, use, disclosure and access to data are all conducted in accordance with legal, ethical and national best practice guidelines.


Malaysian Personal Data Protection Act 2010 (Act 709) – NED compliance
  1. General, Notice & Choice, Disclosure Principle
    • Data submission to NED is a voluntary basis
    • The Eye Database Registry has been approved by Medical Research and Ethics Committee (MREC), Ministry of Health with the NMRR Research Registration ID: NMRR-08-552-1707
    • Through the approval, NED has received approval for waived informed consent. Participation can be indicated by Public Notice.
    • All the relevant NED approved ethics documents, forms and policies are available on the NED website and can be referred from NED Website.
    • Open and transparent management of personal information
    • Patient consent to participation is not required
    • Submission to NED falls under Non Application category of PDPA. NED collects data for statistical purpose non-commercial purpose and is classified under Exemption Category of PDPA.
  2. Open and transparent management of personal information
    • The NED website provides the NED Office contact details in the event of questions, concerns and complaints about the NED.
    • States that the NED is not permitted to identify patients by law and that, to maintain absolute security and confidentiality, anyone wanting to use any of the data from the Registry will be required to obtain the approval and submit the necessary form available in the NED website. Guidelines will be provided.
    • The NED Centre Participation in National Eye Database Consent form addresses the policy and guideline for the participating to abide by. They have the ultimate responsibility for appropriately collecting and maintaining the NED data, including ensuring privacy and confidentiality of their own patient’s data.
    • All personal information is kept strictly confidential: all data will be anonymised and aggregated in any presentations or publications and no patients or hospitals will be identified by name in reports.
    • The Data Security Policy explains the security related to the collection, storage and accessibility of the information in the Registry. For more details, please refer to eNED Registration page https://www.macr.org.my/ened/fwbPage.jsp?fwbPageId=zAu_security_practices
  3. Anonymity and pseudonymity
    • Anonymity and pseudonymity is impracticable for the NED as identification of individuals is required in order to: i. Make the necessary changes to patients’ records e.g. opting-out from the registry; editing erroneous data, ethics approved linkage with the Jabatan Pendaftaran Negara (JPN) (National birth and death registration authority), etc
      ii. Due to the nature of the Eye, cohort follow up of the patients is required
    • However anonymity is preserved in the way that the data are used e.g. reports, presentations.
    • Patients can opt-out their personal data at any time, with just an ID code remaining in the system.
  4. Collection of solicited personal information
    • The NED collects personal information which is directly related to its functions and activities. Public Notice is available at participating centres.
    • The NED has all the appropriate ethics/governance approvals in place including approval of an opt-out process for participation, which is the gold standard for registries. This model presumes that patients will be willing to be included in the NED. Patients are advised that they are / will be in the NED but they are able to opt-out any of their personal information from the NED at any time.
    • Data collection does not occur without prior ethics approval from Medical Research and Ethics Committee (MREC), Ministry of Health with local research governance.
  5. Dealing with unsolicited personal information
    • Hospital staff can enter only required information on the eNED web application.
    • Hospital staff only enter pre clerking, operative and post-operative follow up data based on data collected during patient’s visit.
  6. Use or disclosure of personal information
    • The NED data are summarised to provide information that can inform clinical practice and policy in Eye related care. All data reported are de-identified and aggregated.
    • The NED team is guided by the NED Data Access Policy which outlines how data may be used and supplied.
    • Any persons wishing to undertake research using NED data need to submit a proposal for review by the NED Committee, as well as having appropriate ethical clearances. Data are only supplied to researchers, in approved studies, in a non-identifiable format.
    • Identifiable data are only used for data quality checking processes by authorised staff/entities according to the NED Quality Assurance and Data Management Processes Policy to prevent duplicate reporting.
    • All NED personnel sign a Confidentiality Agreement.
    • All NEDApp users sign a User Agreement which outlines the user policy.
  7. Cross-border disclosure of personal information
    • The NED server and backups are maintained in Malaysia. No data are held offshore.
  8. Quality of personal information
    • The NED Quality Assurance and Data Management Processes outlines the data verification processes employed by the NED.
    • NED conducts regular reviews of data completeness and discrepancies for determining case ascertainment. Data quality checks are also built into the NED Web application to ensure the quality of the data submitted.
    • Training centre staff in data entry and use of the NED Data Definition Dictionary takes place before any live data are entered. Site visits and data quality audits of randomly selected medical records are used to verify the accuracy of data collected by the NED. Centre users have been informed to ensure to enter only true and correct information, provide timely and accurate data and provide timely response to data query.
    • Information is provided in the NED annual reports on the quality of the aggregated, de-identified data in the registry e.g. proportion of missing data per field.
  9. Security of personal information
    • The NED Data Security Policy provides guidelines for all security-related aspects for the registry.
    • NED data are collected via a web application that requires password access with varying levels of authority. The web application itself is protected by Secure Sockets Layer and the certificate shows the encryption details used.
    • The servers are maintained in a secured data centre with state-of-the-art facilities in Cyberjaya. Data centre security: Biometrics authentication for access to server storage area, CCTV, Pyrogen Fire Suppression System, Uninterrupted Power Supply. Besides that, the servers are also secured by server hardware and softwares such as firewall, Intrusion Detection System, Antivirus.
    • Personal information are encrypted and deidentified in the database.
    • Any hard copy data are stored in locked cabinets contained within NED Office in a building with swipe card access.
    • All NED staff, IT vendor, statisticians and Management Committee members sign a Non-Disclosure Agreement whereby they undertake to maintain the confidentiality of any data that they access in the NED.
    • Centre Users can only access data for their own site. Each authorized user in the centre have their own user account and is accountable for their own logins. All activities in the web application are audited.
    • It is important to update NED Secretariat whenever there is a change in your personal information like mobile number and e-mail address and centre’s information like centre address.
    • If any staff who has access to NED web application has left your centre or should no longer access to your patient record, please inactivate their access right accordingly or update NED whose access should be terminated.
    • Data are backed up on a daily, weekly and monthly basis. Business continuity plan is in place in the event the web application is down.
  10. Access to personal information
    • The Registry Forms provides details on the demographic and Eye related diseases information entered into the NED (which stipulates that the data are available from their hospital record).
    • Personal details are reported by participating centres.
    • Patients may contact the centre which they received treatment from (which act as data custodian) about their data.
  11. Correction of personal information
    • To ensure that any missing or discrepant data are corrected, the NED conducts regular data cleaning activities in consultation with the hospital staff.
    • A systematic data quality audit process is also in place.
    • All inaccurate information is amended by the NED office when it is notified or becomes aware that particular information is incorrect.
    • An audit trail of web tool edits is maintained within the database.
    • Registrants can amend their personal details by contacting the NED Secretariat.
  12. Data Retention
    • Softcopy data since beginning will be retained according to requirements by MREC