Chukwuemeka Cameron | Not so fast, Dr Tufton
The Ministry of Health and Wellness recently announced a big data-sharing initiative with a view to making the delivery of healthcare services more efficient and effective. While the objective might be noble and inure to the benefit of the public at large, the government of the day, in the absence of a Data Protection Act, needs to tread cautiously in relation to how it seeks to implement projects such as these and its overall eGov strategy.
We would not want the recently announced Information Technology (IT) Authority to not have any legal clout to execute any of its functions. Any electronic platform that the government intends to implement that involves the processing and sharing of personal data with other government departments or third parties, by virtue of the recent National Identification System (NIDS) ruling, may be found to be unconstitutional.
Minister of Health and Wellness Dr Christopher Tufton recently pronounced that strategies will be identified to improve how information is shared across the public and private healthcare systems. The objective, he said, is to strengthen the delivery of health services to Jamaicans.
“It is quite clear to me that there needs to be some mainstreaming of information because if you have incomplete, inaccurate, or, even worse, no data at all, it’s going to be very difficult to take a coordinated approach to healthcare,” he argued.
It goes without saying that any improvement in how health data such as patient records are generated, recorded, stored, retrieved, analysed, and/or shared will substantially impact the quality of the delivery of healthcare services. We appreciate that the accurate processing of healthcare data can actually be a matter of life and death, what would be considered a vital interest under the Data Protection Act.
CONSIDER NIDS FINDINGS
Before implementing any such system, however, eGov Jamaica and the Ministry of Health and Wellness, bearing in mind that this is considered to be sensitive personal data, should consider the findings of the NIDS case, that is, Julian Robinson v Attorney General. This was a landmark decision for privacy rights, where the Constitutional Court, being led by none other than Chief Justice Bryan Sykes, among other things, held that:
“Informational privacy, which does not deal with a person’s body but deals with a person’s mind, and therefore recognises that an individual may have control over the dissemination of material that is personal to him. Unauthorised use of such information may, therefore, lead to infringement of this right.”
The NIDS ruling, in no uncertain terms, declares that the unauthorised use or sharing of personal information may lead to an infringement of one’s right to privacy as guaranteed by Article 13 (3)(j) of the Constitution.
The European Court of Human Rights, on July 17, 2008, in the case of I v Finland (appl No 20511/03), took the issue further when it declared that the protection of personal data, in particular medical data, is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life as guaranteed by Article 8 of the European Convention on Human Rights. It is worth noting that Article 8 of the convention is very similar to our Article 13(3)(j).
Security of health data, in this context, is an important issue. We see where the European Court of Human Rights attached particular weight to the confidentiality of health data. It said: “ Respecting the confidentiality of health data is a vital principle in the legal systems of all the contracting parties to the convention. It is crucial not only to respect the sense of privacy of a patient but also to preserve his or her confidence in the medical profession and in the health services in general.”
SENSITIVE PERSONAL DATA
Privacy laws across the world view health data as sensitive personal data. The impact of health data being considered as sensitive personal data is that exists would be additional hurdles that have to be passed before one can lawfully process this type of data.
The question that then arises is: what lawful authority would the Ministry of Health and Wellness have to share sensitive health records with other government agencies or process the healthcare data any at all in circumstances where unauthorised processing of this sensitive personal data would constitute a breach of one’s constitutional right?
It is the writer’s opinion that if the Data Protection Act were to be passed, this would be a non-issue as the act would provide at least two lawful bases for processing this sensitive personal data. The sensitive health data could be processed or shared:
- for the exercise of any functions of the Government, a minister of the Government, or a government department; or
- for the exercise of any other functions of a public nature exercised in the public interest by any person.
But alas, there is no Data Protection Act.
Maintaining the confidentiality of patient records and failing to do so are real issues locally and internationally.
It was only a couple of months ago that it was reported in the media that details of the mental condition of an academic who was applying for a job at the University of the West Indies had been released into the public domain. This information that got into the public domain purportedly had a negative impact on his job prospects with the university.
IT Governance, one of the leading entities in all things general data protection Regulation (GDPR), published the fact that during October, Cybersecurity Month, the industry that experienced the most data breaches in Europe was the medical industry, and the primary type of data breach was ransomware.
So we have a situation where medical records, by their nature, are sensitive, personal data. The unauthorised or incorrect processing of such data can have a serious negative impact on individuals, and this data is targeted by hackers; they appreciating its sensitivity and importance.
INFORMATION TECHNOLOGY GOVERNANCE FRAMEWORK
Even without the passage of the Data Protection Act, it behoves the government to ensure that an appropriate information technology governance framework is fully rolled out before there are any attempts to implement these great data-sharing initiatives.
Let us not make the same mistake twice by putting the cart before the horse, as was done in the NIDS case.
The reality of the situation is, however, that it is primarily legislation such as the Data Protection Act that could sufficiently establish the appropriate robust IT governance framework that would adequately start to protect the confidentiality, integrity, and availability of sensitive personal records such as health records.
I could not write this article without briefly addressing the impact the passage of the Data Protection Act will have on individuals’ right to access their medical records.
Traditionally, healthcare providers have been very reluctant to provide medical records to patients for whatever reason. In fact, the common-law position is that patients are only entitled to their medical records in limited circumstances. One such circumstance is where it is required to get further medical treatment.
This will all dramatically change with the passage of the Data Protection Act as healthcare providers, who will be regarded as data controllers, will be obliged, under the law, to provide patients’ records to them upon request within 30 days of a request being made.
It is an imperative of the government, as has been pointed out by the Inter-American Development Bank in the Observer dated November 26, 2019, that the country increase its information flows and use of data analytics as a primary building block of economic growth.
This holds true across all public- and private-sector organisations. We are happy that eGov Jamaica is being refocused to achieve this objective. One cannot overstate, however, that in order to lawfully leverage this explosion of data that is now available, in particular personal data, the requisite legislation that protects our fundamental right to privacy has to be in place to facilitate same.
The passage of the Data Protection Act is now an economic imperative.
- Chukwuemeka Cameron is an attorney with a master’s in information technology and founder of Design Privacy, a consulting firm that helps clients comply with privacy laws and build trust with their customers. Email feedback to firstname.lastname@example.org and email@example.com.