Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Chapter: 

IV. Privacy issues

Identity management

Thailand requires its citizens to apply for national identity cards. From the age of seven all Thai citizens are required to apply for Thai identification cards, according to the Identity Card Act 1983 (revised 2011). Everyone must be able to show their cards if requested to do so by government officials; otherwise a fine of THB200 (USD 6.50) will be applied.

Before the launch of the new smart identity card, identity cards held personal information such as name, family name, address, birthday, marital status, and a picture of the owner. All personal information appearing on the card is stored and managed by the Office of Civil Registration, Department of Local Administration, Ministry of Interior. The authority insisted on dropping the age at which carrying identification becomes mandatory from 15 to seven on the grounds that the card will enable children to access public services such as the public health service better. More importantly, it can be used for identification for children of Thai nationality.1 When making an ID card, the name, address, the mother's name, the father's name, the photo, and fingerprints are registered and it becomes more difficult for anyone to subrogate the rights of children. The identity card number is also used as a tax identification number.

The new smart card (microchip) contains the following personal data: the card holder's name, addresses, date of birth, religion, nationality, blood type, allergies and medical conditions, biometric images, parents' names, marital status, social security, health insurance or healthcare scheme, driving licence details, and taxation data.

Biometrics

Launched in 2005, the implementation of the latest version of the Thai national ID card is believed to be the largest integrated circuit chip ID card project in the world, combining smart national ID cards with fingerprint information using Match-on-Card. The project aims to replace the existing ID card with a new smart and secure alternative to eliminate problems such as forgery, identity theft, and false or multiple identities. By adding digital fingerprint information to the new smart ID cards and thereby physically tying the card to a specific individual, the Thai authorities will reduce their risks in the future.2 As mentioned above, the current national ID card contains linkage to files in the civil registration database that contain the following biometric information: fingerprints, a mugshot picture before a height scale, and an iris scan.

Concern has been raised regarding the issue of how the responsible authorities will securely keep and completely control the data. In the absence of a comprehensive data protection law, the rules and regulations regarding personal data use and disclosure are still unclear.

Medical Privacy and Health Management

In practice, physicians and medical practitioners do not share patient information with outsiders as such information is generally for internal use. However, there are some laws and regulations protecting the privacy of health information. For example, the Medical Council's Regulation concerning the medical code of ethics3 specifies that medical practitioners shall not disclose patients' secrets that are derived from medical practices, unless doing so is approved by the patient or the disclosure is required by law or duties. Additionally, the Criminal Code4, Section 323, stipulates that any medical practitioner or trainee who has acknowledged others' secrets due to their medical practice or training and disclosed such secrets in a way that causes damages (a negative impact) to anyone, he or she shall be subjected to imprisonment up to six months, a fine of up to THB1,000 Baht (USD32), or both.

In general, patients' secrets will be kept confidential as long as the patient does not wish to disclose them. It is the patient's right to keep their secrets untold even in court.5 However, most patients would allow their personal information to be disclosed in court in their own interest. For example, a patient can specify persons to whom he or she would like to disclose the results of a positive HIV blood test. In the interests of the most efficient medical treatment, disclosing such secrets is usually allowed among medical staff treating the patient without advance approval for each one.

Once a patient's blood test result is known, the details are always placed in his or her medical record, where it is not easily noticed by outsiders, such as in a sealed envelope or inside a medical record file. In general hospitals, writing blood test results, particularly of severe diseases, on the front of the medical record file where they can be easily read is deemed malpractice. Putting a secret symbol that is only known internally is more appropriate, and preferable as best practice.

As for health information collection, hospitals in Thailand utilise a variety of hospital information systems (HIS), namely HOSxP, HospitalOS, EMR Soft, and so on.6 When a patient is transferred from one hospital to another, his or her medical record is also transferred. A hospital may collect overall patient health information for the sake of statistical records or educational purposes, while details of individual patients may be disclosed on an anonymous basis among medical practitioners as examples to aid understanding and further study of particular diseases. In general, only authorised medical staff are allowed to be involved in the information input process. Patient records are usually kept for at least five to ten years from the date of the patient's last hospital visit.

Overall patient statistics for use as a national health record in diverse diseases are kept at the Ministry of Public Health's Bureau of Epidemiology,7 where no details of individual patients are recorded. Patient registration of particular diseases, in which details of patients will appear as medical records, is kept at a variety of places depending on the type of disease. For example, Thailand's HIV registration is carried out at the Thai Red Cross AIDS Research Centre, better known as "Anonymous Clinique."8 Apart from the aforementioned laws, no particular laws regulate medical information sharing among hospitals or medical practitioners.

According to Dr. Prawit Leesathapornwongsa, a former telecommunications activist,9 the handling of medical information by the Thai State shows little regard for patients' privacy.  Citing one of his personal experiences while working in a hospital, he claimed that the National Cancer Institute was trying to compile their national database of cancer patients and requested this information from the hospital where he was working. When he declined the request noting the patients' right to medical privacy, he was reported for non-cooperation.

In Thailand, the privacy of medical information is perceived as less important than the administrative need for collection of health data.  Nevertheless, observers have noted that despite the many types of health information collected, the Ministry of Health's information system is not well-integrated enough to make efficient use of the data to cope with the number of patients and the diversity of diseases.10

Data Sharing

Since 2005 there has been an initiative to set up an infrastructure for data exchange   the so-called Thailand e-Government interoperability framework (TH e-GIF)   among government agencies. This framework has been developed by the Ministry of Information and Communication Technology (MICT) and is to be imposed on every government agency. However, the MICT is not a central agency that will develop the data exchange interface for all government agencies. The MICT only plays a nurturing role and gives recommendations to related agencies to follow TH e-GIF. The XML standard for data processing is recommended by the MCIT. However, data sharing among government agencies is not a requirement. The MICT does not have the legal right to request that every state agency share its data with others.

According to the civil registration law, the Office of Civil Registration at the Ministry of Interior, which keeps the largest pool of personal information of Thai citizens, does not share its data with any agencies except the Ministry of Foreign Affairs for passport identification, and the Royal Thai Police for criminal investigation and crime suppression.

Other databases

Databases such as criminal records are managed by the criminal records division under the Royal Thai police. Apart from authorities related to police investigation, the law only allows the owner of a record to request the criminal records division to issue his or her own fingerprint report which will indicate whether the requested person has a criminal record. In practice, however, many organisations ask job applicants to provide their fingerprint reports to screen against criminality while some have their own fingerprinting procedure which they submit to the criminal records division for employment screening.

Workplace monitoring

Thailand's Labour Protection Act, B.E. 254111 does not mention workplace surveillance in detail, but requires companies to state the code of disciplinary conducts in the workplace regulations of each office or company.

These workplace regulations must be submitted to and approved by the Department of Labour Protection and Welfare12, with complete details of eight topics:

  • Definition of workdays, work hours, and breaks;
  • Holidays, weekends, and conditions;
  • Regulations on over-time work and work during holidays;
  • Dates and places of wage payment, inclusive of overtime, work during holidays, and overtime work during holidays;
  • Leave and regulations on leave;
  • Disciplinary conduct and actions;
  • Complaints-handling procedure and
  • Termination of employment, compensation, and special compensation.

These workplace regulations topics focus on the physical circumstances of work with the aim of protecting employees' rights relating to pay, safety, and benefits. There is no clause regarding the protection of employees' privacy. So privacy depends on the organisation's ethics or good governance.

Most companies, such as the Siam Cement Group,13 state in their code of ethics that employee data is classified as confidential, the same as that of their business partners and clients. However, the employer has no jurisdiction when it comes to the issue of dealing with the personal data that each employee may have uploaded to public or social networks.

While companies may provide Internet access for their employees, the intention is usually that it should be used for the purposes of operating the business or employee development. There may, therefore, be limitations on Internet usage based on the bandwidth the company can afford and the information it provides on its intranet.

Among urban offices, company surveillance of employees' use of the Internet is a bigger issue than the privacy of employees' personal data.  Many offices are reportedly using software that monitors the pattern of computer use by employees to keep tab on their performance and productivity.

There has been as yet no court case regarding a termination of employment based on inappropriate use of the company's Internet access.

Financial Privacy

Financial institutions are generally required to collect two types of customer information, personal and transaction, while undertaking business and providing services such as deposit account opening, loan application, mutual fund account opening, credit card applications, and so on. Personal information includes name, address, phone number, email address, demographic and customer identification, credit card or bank account information, and so on. Financial institutions are also required to retain customers' transaction information in the process of conducting financial transactions. This information includes the amount of the transaction, the type, and even the Internet address (IP address) from which the transaction was conducted .14

Thailand has no regulatory requirements like 'Know Your Customer', but banks generally adhere to an internal platform of information requirements and retain such information during the course of a business relationship with customer.15

Banks are often required by the regulatory authorities to disclose information in case they need to report suspicious transactions. For example, the banks are required by law16 to provide monthly consumer credit reports to the National Credit Bureau Co., Ltd., including customer demographics and details of credit applications and repayment track records. The Anti-Money Laundering Act requires banks to report cash transactions of more than THB2 million (USD62,500), all transactions worth more than THB5 million (USD156,250), and any  suspicious transactions to the Anti-Money Laundering Office.17 Moreover, banks are required to disclose customer information to the Office of the National Anti-Corruption Commission, which is authorised by law,18 for probes into corruption cases. Additionally, banks are required to report and disclose customer information to the Office of Public Sector Anti-Corruption Commission (PACC),19 also for probes of corruption cases.

In summary, government agencies can generally gain access to financial information via the aforementioned requirements when corruption cases are being investigated. In some cases, banks are required to disclose client information upon orders from a court, the Bank of Thailand, or a lawful authority, or if disclosure is necessary for an examination, prevention or operation relating to a violation of the law.  Such an order might be issued in the event of doubt whether there is fraud, or in cases of money-laundering or that have an impact on national security or a case where the well-being, life, and physical body of another person is endangered.20

Consumer Privacy

In Thailand, there is no particular entity that is responsible for awareness-building regarding consumer privacy issues. However, the Official Information Act, B.E.2540 (1997), which mainly governs "the right" to access official information for the general public, also governs consumer privacy issues related to the supervision of the state agencies.21 However, consumer rights activists22 feel that the laws applicable to consumer privacy are not in accordance with international standards. Therefore, there has been an attempt to seek better legislation to govern consumer privacy.

Consequently, Thailand has drafted the Personal Data Protection Bill, which has been under consideration for a number of years.23 Once enacted, it would provide a comprehensive regulatory structure for personal data, applicable to virtually all government and private sector entities. Naturally, it will provide additional protection for consumer privacy, but it will also present businesses with greater compliance responsibilities.24

Currently, Information and Communication Technology (ICTs) have become an increasingly influential force in Thai society. According to the Royal Thai Police, there are a number of problems related to consumer privacy such as unsolicited advertising, unfair collection practices, and data breaches.25

In one instance, a wrongdoer used the name, position, address, and other personal data of a famous person to apply for an email account and used that account to contact others claiming to be that famous person. In another example, a bank sold the names and phone numbers of its customers to others who wishing to send unsolicited advertising to these customers. Additionally, some hotels have recorded car registration numbers or other personal data of their guests and disclosed these to others who are not police officers.

Gender

In Thailand, gender identification is a normal requirement on questionnaires, job application, application for educational institutions, membership applications, etc. Thus, no significant issue has so far been raised about gender disclosure in daily life. Chalidaporn Songsamphan, a professor at Thammasat University who has worked extensively on gender issues, was of the view that the general public in Thailand has accepted only two genders, male or female, which is apparently a reproduction of the dominant paradigm of two genders.  As a result, all services from both state and private sectors have been developed from an assumption of two genders with details of each service serving only two genders, despite the existence of diverse genders in Thailand.26

Apart from personal information, gender privacy issues in Thailand include the Woman Title Act, B.E.2551 (2008), which allows married or divorced women to choose either "Miss" or "Mrs" as their title; in the past they were allowed only "Mrs", according to the Department of Local Administration.27

In addition, in one incident, a transsexual who is one of the Lesbian, Gay, Bisexual and Transgender (LGBT) group has filed a petition to the Administrative Court against the military, which labelled her as "suffering from permanent psychosis" in her military discharge document (Sor Dor 43). The court finally ruled against the military, as the plaintiff in fact has a gender that is different from her biological birth sex, which was nothing to do with a mental disorder. Subsequently, the Ministry of Defense proposed a revised ministerial regulation, No. 37 (B.E.2516), adding item 3 (12), which read "the gender that is different from the biological birth sex" as a reason of discharge for persons in the second group who have incomplete physical conditions like the first group but are not disabled.28
Religion

A requirement for religious identification is normal practice in daily life for Thai people when filling out job application forms, applying for admission to an educational institution, registering and applying for membership of any group, and so on. Sometimes there is no need to indicate one's religion in these forms.

Thai people's national ID card generally indicates the cardholder's religion. Under the Identification Card Act, B.E.2526 (1983), Section 7, details on the national ID card must include name, family name, birth date, address, picture, and ID number. However, religion, religious denomination, or doctrine do not have to be specified on the ID card.   In the Identification Card Act (third), B.E. 2554 (2011), Section 7 has been maintained. But additional content has been added: "The ID card may have a storage chip embed on it but information contained in it shall not be disclosed to persons or organisations not involved in information collection, except information indicated on the card or disclosed to related organisations for the cardholder's benefit. The disclosure shall be approved by the cardholder or aimed for state benefit or national peace."29

Apart from the aforementioned issue, there is another issue regarding the presence of the cardholder's picture on the national ID card. According to an interview with Prof. Dr. Chaiwat Satha-Anand, Faculty of Political Science, Thammasat University, Muslim women demonstrated in 1988 demanding to wear the hijab when their pictures are taken for the card. Finally, the government altered the regulations to allow ID card pictures to be taken with the hijab in accordance with religious requirements.

Prof. Dr. Chaiwat added that the privacy issue on religious matters is more meaningful in the deep Southern provinces where martial law, the Royal Decree for State of Emergency, and the criminal code are enforced and definitely impact people's privacy.30

Footnotes