Privacy, Data Protection & Medical Records Governance Manual - Contour Clinic

Purpose, Scope & Legal Basis

This governance manual sets mandatory privacy, data-protection and medical-record requirements for Contour Clinic International’s plastic-surgery centres in Bangkok and Pattaya. ¹ ⁵

It applies to all procedures (silicone and implant-based rhinoplasty, upper blepharoplasty, chin augmentation and Korean-style lower facelift) and to all staff, contractors and external processors handling identifiable patient information. ¹

The policy is designed to comply with the Personal Data Protection Act B.E.2562 (2019) (PDPA) and the National Health Act B.E.2550 (2007) regarding health information, confidentiality, consent and patient rights in Thailand. ¹ ⁴

It also reflects obligations and common practice under Thai health-facility law and hospital-accreditation standards for documentation, security and record governance. ⁵ ⁷

1. Privacy & Data Protection

Contour Clinic International is a PDPA “data controller” for all patient and staff personal data collected in its Bangkok and Pattaya facilities. ¹ ²

Health information, surgical images, diagnostic reports and biometric identifiers are treated as sensitive personal data, requiring stricter safeguards and explicit consent unless another clear medical or legal basis applies. ¹ ²

All privacy notices, consent forms and digital interfaces must clearly explain what data are collected, purposes, legal bases, retention periods and any cross-border transfers. ¹ ²

No more data may be collected than is reasonably necessary for clinical care, safety, quality assurance, legal compliance and legitimate clinic-governance functions. ¹ ⁸

Confidentiality duties under the National Health Act and professional-ethics rules apply to all clinicians and non-clinical staff, not only doctors and nurses. ⁴ ⁸

Any new data-processing activity (for example, new software, cloud hosting, AI tools or telemedicine platforms) must undergo a documented PDPA-focused risk assessment before implementation. ¹ ⁹

2. Collection of Information

At registration and pre-operative assessment, the clinic may collect only information necessary to identify the patient, assess surgical risk, plan treatment, manage payment and comply with Thai law. ¹ ²

This typically includes identity documents, contact details, medical and medication history, allergy history, psychological or expectation screening, photographs, imaging and surgical-consent documentation. ¹ ⁴

Explicit, documented consent must be obtained before collecting or using sensitive health data unless a clearly defined medical or legal exception applies, such as emergency care or a statutory obligation. ¹ ²

Collection for marketing, testimonials or social-media use must always be separated from clinical consent, with a genuine opt-in that is not tied to receiving treatment. ¹ ⁸

Any collection via online chat, telemedicine, email or social media must follow the same PDPA principles as in-clinic collection, with logs and access restricted to authorised staff. ¹ ¹⁰

3. Secure Storage of Information

All electronic patient records must be stored in secure systems with access control, unique user logins, audit trails and appropriate safeguards such as encryption in transit and at rest where feasible. ¹ ⁷

Clinical images, operative reports and consent forms must be linked to the electronic record and protected under the same security standards as other medical data. ¹ ⁷

Paper records, consent forms and imaging printouts must be held in lockable areas with restricted key or card access and must never be left unattended in public or semi-public spaces. ⁴ ⁷

Portable devices (laptops, tablets, phones, USB drives) containing personal data should be avoided; where unavoidable, they must be encrypted, access-controlled and subject to loss/theft reporting rules. ¹ ³

CCTV, if used, must not record inside operating rooms or consultation rooms in a way that identifies patients unless there is a clear legal or safety justification and a PDPA-compliant notice and consent process. ¹ ⁴

Third-party IT providers, cloud services and software vendors must sign written agreements that impose PDPA-compliant confidentiality, security and breach-notification obligations as data processors. ¹ ⁹

4. Retention of Medical Records

Contour Clinic International sets minimum retention periods in line with Medical Establishment Act–based private-hospital practice in Thailand. ⁵ ⁶

Core medical records for adult patients, including operative reports and pre-/post-operative assessments, must be retained for at least 10 years from the date of last treatment, unless a longer period is legally required or litigation is ongoing. ⁵ ⁶

Before-and-after photographs and imaging used for clinical documentation are retained for the same period as the related operative record, unless specific PDPA-consent conditions require shorter retention. ¹ ⁶

Records for minors must be retained at least until the patient reaches legal majority plus the standard retention period to allow for late claims or medico-legal review. ⁴ ⁶

If a patient withdraws consent for certain processing, such as marketing use of photos, the clinic must stop that processing but may retain the underlying clinical record where required for legal, public-health or medico-legal reasons. ¹ ⁴

At the end of the retention period, records must be destroyed or anonymised using methods that prevent re-identification, such as secure digital deletion and cross-cut shredding, with destruction logs kept for audit. ¹ ⁶

5. Patient Rights

Patients must receive a clear, accessible privacy notice in Thai, and in other languages where appropriate, explaining how the clinic uses and protects their personal data. ¹ ⁴

Patients have rights under the PDPA to request access to their personal data, receive copies in a reasonable format and request correction of inaccurate information. ¹ ²

Where legally appropriate, patients may request restriction of processing, object to certain uses such as direct marketing or request deletion of data that are no longer necessary for lawful clinic purposes. ¹ ⁴

Requests must be documented, assessed in a timely way and responded to within PDPA timeframes, with reasons recorded where a request is partially or fully refused. ¹ ³

Patients must be informed how to lodge a complaint with the clinic’s Data Protection Officer and, if unresolved, with the PDPA supervisory authority or relevant health regulators. ¹ ³

6. Disclosure of Information

Disclosure of identifiable patient information is permitted only where it is supported by a PDPA lawful basis and consistent with Thai health-law confidentiality obligations. ¹ ⁴

Routine disclosures include sharing necessary data with treating clinicians, nurses and allied-health staff, or with laboratories and imaging providers involved directly in the patient’s care. ¹ ⁷

Disclosures to insurers, finance providers, referring clinics or other third parties must be limited to what is necessary, documented and supported by appropriate consent or another legal basis. ¹ ²

Cross-border transfers of identifiable data, for example cloud hosting outside Thailand or remote access by governance staff overseas, must follow PDPA rules on international transfers, with contractual safeguards and transparency in the privacy notice. ¹ ²

Patient images or case details used for teaching, audit or marketing must be anonymised wherever possible, and identifiable use must rely on explicit, separate consent that can be withdrawn at any time. ¹ ⁸

Disclosures required by Thai law, such as court orders or mandatory disease reporting, must be logged and limited strictly to the scope required by the requesting authority. ⁴ ⁵

7. Governance, Oversight & Breach Management

Contour Clinic International appoints a Data Protection Officer because it processes large volumes of sensitive health data on a continuous basis in both Bangkok and Pattaya locations. ¹ ⁹

The Data Protection Officer oversees PDPA compliance, advises on data-protection impact assessments, monitors internal audits and acts as primary contact with the PDPA supervisory authority. ¹ ⁹

All staff must complete privacy and PDPA training on induction and at least annually, with additional role-specific training for surgeons, nurses, administrative staff and marketing teams. ¹ ⁷

The clinic maintains a data-processing register that records systems used, categories of data, purposes, legal bases, retention periods and key processors. ¹ ²

Any suspected personal-data breach, such as lost files, mis-sent emails, hacking, unauthorised access or stolen devices, must be reported immediately to the Data Protection Officer using the clinic’s incident form. ¹ ³

The Data Protection Officer must assess the risk to data subjects and, where required, notify the PDPA authority and affected individuals without undue delay and within 72 hours of becoming aware of the breach. ¹ ³

Post-incident reviews must identify root causes and implement corrective measures such as technical fixes, process changes and staff re-training. ³ ⁷

8. Documentation, Audit & Continuous Improvement

The clinic maintains written policies and procedures covering consent, record keeping, security, escalation, breach management and disposal, which are reviewed at least annually or after major legal changes. ¹ ⁷

Regular internal audits check access logs, consent documentation, retention practices and third-party contracts, with findings reported to senior governance and the Data Protection Officer. ¹ ⁷

External audits or accreditation visits by Thai regulators or hospital-accreditation bodies must be supported with complete, accurate and timely documentation. ⁵ ⁷

Planned changes to IT systems, clinical documentation or new services such as telemedicine or AI-assisted tools must include a documented privacy-by-design impact assessment. ¹ ¹⁰

This governance manual is a living document and will be updated as PDPA guidance, Thai health-law regulation or professional-body standards evolve. ¹ ⁴

แหล่งข้อมูล

Government of Thailand, Personal Data Protection Act B.E.2562 (2019) (PDPA) – core Thai data-protection statute for controllers and processors, including health-sector obligations and data-subject rights, เข้าชมเมื่อวันที่ 28 พฤศจิกายน 2025, https://pdpathailand.com/pdpa/index_eng.html ↩
Tilleke & Gibbins, PDPA guidance on sensitive health data, lawful bases and transparency – including life-sciences and health-sector analyses of PDPA’s treatment of medical and biometric data, เข้าชมเมื่อวันที่ 28 พฤศจิกายน 2025, https://www.tilleke.com/insights/thailand-operationalising-pdpa-lawful-basis-sensitive-personal-data-and-data-processing-safeguards/ ↩
Nishimura & Asahi, PDPA data-breach notification regime – PDPC Guidelines on Data Breach Assessments and Personal Data Breach Notifications, and commentary on the 72-hour reporting requirement, เข้าชมเมื่อวันที่ 28 พฤศจิกายน 2025, https://www.nishimura.com/en/knowledge/publications/personal-data-protection-laws-update ↩
Government of Thailand, National Health Act B.E.2550 (2007) – Thai health law establishing confidentiality of personal health information and patient participation in health-care decisions, เข้าชมเมื่อวันที่ 28 พฤศจิกายน 2025, https://asean.org/wp-content/uploads/2016/08/Thailand182.pdf ↩
Herrera & Partners, Thai health-industry and facility-law overviews, including Medical Establishment / Medical Facilities Act B.E.2541 and regulation of private hospitals and clinics, เข้าชมเมื่อวันที่ 28 พฤศจิกายน 2025, https://www.herrera-partners.com/2025/11/10/legal-framework-in-thailand-for-the-medical-business/ ↩
Bangkok Hospital, Medical-record retention practice under the Medical Establishment Act – hospital privacy notices confirming minimum 5-year and typical 10-year retention periods for records and imaging, เข้าชมเมื่อวันที่ 28 พฤศจิกายน 2025, https://www.bangkokhospital.com/en/page/privacy-policy ↩
Healthcare Accreditation Institute (Thailand), Hospital record-keeping quality, audit and EMR standards in Thailand – guidance on complete documentation, coding practice and EMR-based quality improvement, เข้าชมเมื่อวันที่ 28 พฤศจิกายน 2025, https://backend.ha.or.th/fileupload/DOCUMENT/00185/4e7d9e4e-bedc-4a64-adbd-d80ac1a6662f.pdf ↩
Chulalongkorn University Faculty of Law, Academic and legal analysis of Thai health-data protection and physicians’ disclosure duties – proposals to harmonise overlapping laws and strengthen privacy for medical records, เข้าชมเมื่อวันที่ 28 พฤศจิกายน 2025, https://www.law.chula.ac.th/wp-content/uploads/2020/12/TDPG3.0-C5-20201208.pdf ↩
DLA Piper, PDPA Data Protection Officer and life-sciences compliance guidance – when a DPO is required, typical responsibilities and expectations for organisations processing health data, เข้าชมเมื่อวันที่ 28 พฤศจิกายน 2025, https://www.dlapiperdataprotection.com/index.html?t=roles&c=TH ↩
Ministry of Public Health Thailand, Telemedicine and health-data protection practice in Thailand – application of PDPA and National Health Act rules to remote consultations and electronic transmission of medical information, เข้าชมเมื่อวันที่ 28 พฤศจิกายน 2025, https://bdh.moph.go.th/site/wp-content/uploads/2023/08/3.1.5-telemedicine.pdf ↩

ข้อมูลผู้แต่ง

Contour Clinics Thailand InternationalGovernance & Compliance Division

ข้อจำกัดความรับผิดชอบ: These policies and procedures are internal clinical governance documents for Contour Clinic Thailand. They are developed, approved and implemented under Thai law to align with the requirements of the Ministry of Public Health, the Thai Food and Drug Administration (Thai FDA) and the Medical Council of Thailand. All clinical assessment, diagnosis, prescribing, procedures, intra-operative decisions, complication management, revision surgery and aftercare in Thailand are carried out solely under the direction and legal responsibility of Thai specialist surgeons and other Thai-registered medical practitioners. These documents are for internal use only. They must not be used, adapted, copied, distributed or relied upon by any external doctor, clinic, hospital or organisation, whether inside or outside Thailand, and they do not create any duty of care, clinical relationship or governance obligation to any party outside the Contour Clinic Thailand network.