This paper aims to validate the use and sharing of patient health data for medical research without consent when it serves the public interest and is safeguarded appropriately. With healthcare increasingly driven by data, access to patient datasets allows researchers to identify trends, develop more effective treatments, and inform policy, thereby benefiting public health. However, ethical and legal legislation, particularly data protection laws, are perceived by some researchers as impediments to research advancement. This paper propounds how data protection law can be best structured to balance privacy protection with the needs of research. A qualitative and comparative methodology are employed to evaluate the effectiveness of two legal frameworks—the EU General Data Protection Regulation (GDPR) 2018 and Malaysia’s Personal Data Protection Act (PDPA) 2010—in balancing privacy with research needs. Findings indicate significant limitations in Malaysia’s PDPA, including its narrow scope (which excludes the public healthcare sector) and the absence of research-specific provisions, potentially reducing its effectiveness in protecting privacy while accommodating research. The paper recommends that Malaysia’s PDPA adopt a framework similar to the GDPR to address these gaps. Key recommendations include extending the PDPA coverage to public healthcare data, establishing ‘public interest’ lawful basis for research use and implementing safeguards like data minimisation and Data Protection Impact Assessments (DPIAs). Aligning the PDPA more closely with international standards could foster public trust in data practices, support Malaysia’s research infrastructure and promote the responsible and safe use of health data in scientific research.

Abu Bakar Munir and Siti Hajar Mohd Yasin. 2010. Personal Data Protection in Malaysia: Law and Practice. Malaysia: Sweet & Maxwell Asia.

Alibeigi, A., & Abu Bakar Munir. (2020). Malaysian personal data protection act, a mysterious application. U. Bologna L. Rev., 5, 362.

Barbour, R.S., Kingdom, U., Buscatto, M., Chamberlain, K., Zealand, N., Coetzee, J.K. and Sun, J. (2018), The SAGE Handbook of Qualitative Data Collection, Los Angeles: SAGE Publications Inc.

Batko, K., Ślęzak, A. The use of Big Data Analytics in healthcare. J Big Data 9, 3 (2022). https://doi.org/10.1186/s40537-021-00553-4

Beauchamp, T. L., & Childress, J. F. (1994). Principles of biomedical ethics. Edicoes Loyola.

Bell, J., Aidinlis, S., Smith, H., Mourby, M., Gowans, H., Wallace, S. E., & Kaye, J. (2019). Balancing data subjects' rights and public interest research: Examining the interplay between UK law, EU human rights law and the GDPR. Eur. Data Prot. L. Rev., 5, 43.

Cate, F. H. (2010). Protecting privacy in health research: the limits of individual choice. Calif. L. Rev., 98, 1765.

Chassang, G. (2017). The impact of the EU general data protection regulation on scientific research. ecancermedicalscience, 11.

Chico, V. (2018). The impact of the general data protection regulation on health research. British medical bulletin, 128(1), 109-118.

Department of Personal Data Protection Malaysia. 2024. Personal Data Protection Act (Amendment) 2024.

https://www.pdp.gov.my/ppdpv1/pindaan-akta-perlindungan-data-peribadi-2024/. Retrieved on: 6 November 2024.

Dove, E. S. (2018). The EU general data protection regulation: implications for international scientific research in the digital era. Journal of Law, Medicine & Ethics, 46(4), 1013-1030.

Dove, E. S., & Chen, J. (2020). Should consent for data processing be privileged in health research? A comparative legal analysis. International Data Privacy Law, 10(2), 117-131.

Duguet, A. M., & Herveg, J. (2021). Safeguards and derogations relating to processing for scientific purposes: Article 89 analysis for biobank research. In GDPR and Biobanking: Individual Rights, Public Interest and Research Regulation across Europe, 105-120..

Farah Nabilah. 2024. PDPA amendments missing key details. Institute of Strategic & International Studies (ISIS) Malaysia. 30 July. https://www.isis.org.my/2024/07/30/pdpa-amendments-missing-key-details/. Retrieved on: 6 November 2024.

Gostin, L. O. (2001). Health information: reconciling personal privacy with the public good of human health. Health Care Analysis, 9, 321-335.

Greenleaf, G. (2010). Limitations of Malaysia’s data protection Bill. Privacy Laws & Business International Newsletter, 104(1), 5-7.

Greenleaf, G. (2012). ASEAN's ‘New’Data Privacy Laws: Malaysia, the Philippines and Singapore. Privacy Laws & Business International Report, (116), 22-24.

Herring J. 2018. Medical Law and Ethics. 7th edn, Oxford University Press.

Information Commissioners Office. n.d. Overview- Data Protection and the EU. https://ico.org.uk/for-organisations/data-protection-and-the-eu/overview-data-protection-and-the-eu/. Retrieved on: 6 November 2024.

Jasmontaite, L., Kamara, I., Zanfir-Fortuna, G., & Leucci, S. (2018). Data protection by design and by default: Framing guiding principles into legal obligations in the GDPR. Eur. Data Prot. L. Rev., 4, 168.

Joseph Kaos Jr. 2017. Health Ministry launches Malaysian Health Data Warehouse. The Star, 18 Apr. https://www.thestar.com.my/news/nation/2017/04/18/health-ministry-launches-malaysian-health-data-warehouse/. Retrieved on: 6 November 2024.

Juntao, Fang. (2024). Research on the application of data mining in the field of healthcare. doi: 10.62051/4pdg6558.

Kartina Aisha Choong (2016) ‘Malaysia’ in Herman Nys (eds) International Encyclopaedia of Laws: Medical Law (Kluwer Law International)

Kasperbauer, T. J. (2020). Protecting health privacy even when privacy is lost. Journal of medical ethics, 46(11), 768-772.

Kassim, P. N. J., & Ramli, N. (2016). The Inviolability of medical confidentiality in Malaysia: An analysis of the rules and exceptions. IIUMLJ, 24, 335.

Kassim, P. N. J., Alias, F., & Muhammad, R. W. (2014). The Growth of Patient Autonomy in Modern Medical Practice and the Defined Limitations under the Shari'ah. IIUMLJ, 22, 213.

Kingston, J. (2017). Using artificial intelligence to support compliance with the general data protection regulation. Artificial Intelligence and Law, 25(4), 429-443.

Laurie, G. H., & Dove, E. (2019). Mason and McCall Smith's law and medical ethics. Oxford University Press.

Laurie, G., & Postan, E. (2013). Rhetoric or reality: what is the legal status of the consent form in health-related research?. Medical Law Review, 21(3), 371-414.

Laurie, G., & Sethi, N. (2011). Information governance of use of health-related data in medical research in Scotland: Current practices and future scenarios. U. of Edinburgh School of Law Working Paper, (2011/26).

Laurie, G., Ainsworth, J., Cunningham, J., Dobbs, C., Jones, K. H., Kalra, D. & Sethi, N. (2015). On moving targets and magic bullets: Can the UK lead the way with responsible data linkage for health research?. International journal of medical informatics, 84(11), 933-940.

Laws of Malaysia [Act 388], Interpretation Acts 1948 and 1967

Medical Research Council (MRC). (2018). MRC Ethics Series: Using information about people in health research. https://www.ukri.org/wp-content/uploads/2021/08/MRC-0208212-Using-information-about-people-in-health-research-2018.pdf. Retrieved on: 6 November 2024.

Ministry of Health Malaysia. https://www.moh.gov.my/. Retrieved on: 6 November 2024

Mondschein, C. F., & Monda, C. (2019). The EU’s General Data Protection Regulation (GDPR) in a research context. Fundamentals of clinical data science, 55-71.

Mostert, M., Bredenoord, A. L., Biesaart, M. C., & Van Delden, J. J. (2016). Big Data in medical research and EU data protection law: challenges to the consent or anonymise approach. European Journal of Human Genetics, 24(7), 956-960.

Mostert, M., Bredenoord, A. L., Van Der Slootb, B., & Van Delden, J. J. (2018). From privacy to data protection in the EU: Implications for big data health research. european Journal of health law, 25(1), 43-55.

Mourby, M. J., Doidge, J., Jones, K. H., Aidinlis, S., Smith, H., Bell, J. & Kaye, J. (2019). Health data linkage for UK public interest research: key obstacles and solutions. International Journal of Population Data Science, 4(1).

n.a. 2024. From Data to Action: GIS Technology in Malaysian Healthcare. HealthCareAsia Daily, 6 April. https://www.healthcareasia.org/2024/from-data-to-action-gis-technology-in-malaysian-healthcare/> Retrieved on: 29 October 2024.

n.a. n.d. Malaysian Health Data Warehouse. Ministry of Health Malaysia. https://myhdw.moh.gov.my/public/home. Retrieved on: 6 November 2024.

Neely, A.H. and Ponshunmugam, A. (2019), “A qualitative approach to examining health care access in rural South Africa”, Social Science and Medicine, Vol. 230, pp. 214-221, doi: 10.1016/j.socscimed.2019.04.025.

Noriswadi Ismail & Cieh, E. L. Y. (2013). Limitations of the Personal Data Protection Act 2010 and Personal Data Protection in Selected Sectors. Beyond Data Protection: Strategic Case Studies and Practical Guidance, 65-98.

Nuffield Council on Bioethics. (2015). Biological and health data. http:// nuffieldbioethics.org/wp-content/uploads/DataEthics_Chapter5.pdf. Retrieved on: 3 November 2023.

Porsdam Mann, S., Savulescu, J., & Sahakian, B. J. (2016). Facilitating the ethical use of health data for the benefit of society: electronic health records, consent and the duty of easy rescue. Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences, 374(2083), 20160130.

Quinn, P. (2021). Research under the GDPR–a level playing field for public and private sector research?. Life Sciences, Society and Policy, 17(1), 4.

Raul, A. C. (Ed.). (2021). The privacy, data protection and cybersecurity law review. Law Business Research Limited.

Raul, A. C. (Ed.). (2021). The privacy, data protection and cybersecurity law review. Law Business Research Limited.

Rumbold, J. M. M., & Pierscionek, B. (2017). The effect of the general data protection regulation on medical research. Journal of medical Internet research, 19(2), e47.

Saldana, J. (2011), Fundamentals of Qualitative Research, in Beretvas, N., (Ed.), Oxford University Press, New York, NY.

Shazwan Mustafa Kamal. 2017. Big data in healthcare: What we (need to) know. Malaymail, 21 April. https://www.malaymail.com/news/malaysia/2017/04/21/big-data-in-healthcare-what-we-need-to-know/1360925. Retrieved on: 6 November 2024.

Sidi Ahmed, S. M., & Sonny Zulhuda. (2019). Data protection challenges in the internet of things era: an assessment of protection offered by PDPA 2010. International Journal of Law, Government and Communication (IJLGC), 4(17).

Snyder, J. E., & Gauthier, C. C. (2008). Evidence-based medical ethics:: cases for practice-based learning. Springer Science & Business Media.

Staunton, C., Slokenberga, S., & Mascalzoni, D. (2019). The GDPR and the research exemption: considerations on the necessary safeguards for research biobanks. European Journal of Human Genetics, 27(8), 1159-1167.

Taylor, J. A., Crowe, S., Pujol, F. E., Franklin, R. C., Feltbower, R. G., Norman, L. J. & Pagel, C. (2021). The road to hell is paved with good intentions: the experience of applying for national data for linkage and suggestions for improvement. Bmj Open, 11(8), e047575.

Taylor, M., & Townend, D. (2022). Towards a new privacy: informed consent as an encumbrance to group interests? In Law and legacy in medical jurisprudence: essays in honour of Graeme Laurie edited by G. T. Laurie, E. S. Dove & Niamh Nic Shuibhne (eds.). New York, NY: Cambridge University Press.

Taylor, S.J., Bogdan, R. and DeVault, M.L. (2016), Introduction to Qualitative Research Method, John Wiley and Sons, NJ.

Vedder, A., & Spajić, D. (2023). Moral autonomy of patients and legal barriers to a possible duty of health-related data sharing. Ethics and Information Technology, 25(1), 23.

Westin A.F. (1968). Privacy and Freedom. Washington and Lee Law Review 166.

Zuryati Mohamed Yusoff, 'The Malaysian Personal Data Protection Act 2010: A Legislation Note' (2011) 9 NZJPIL 119.