The President of the Republic of South Africa has declared a national state of disaster, in response to the Covid-19 pandemic.
Information relating to infected persons, in South Africa specifically, has become a vital resource in managing the spread of the disease caused by the novel coronavirus, and protecting vulnerable members of the community. This information may include the identity of infected persons, and the identity of anybody who may have come into contact with an infected person. This information (or “data”) is made up of the confidential medical information of infected patients.
This article will focus on how this confidential personal information is processed and disclosed, in line with the Protection of Personal Information (PoPI), and its Regulations.
The purpose of the PoPI Act is to regulate the processing of personal information by public and private bodies. The Act seeks to strike a balance between the right to privacy, and the reasonable right to access information.
In the medical field, all healthcare professionals and administrative staff obtain confidential and sensitive personal information on a daily basis, from the moment a patient enters a medical facility and divulges their medical history. This information is divulged with the understanding that it will only be used for the purpose of the patient’s health care.
What happens in the situation that we find ourselves facing today, where the disclosure of this personal information is imperative, in order to keep the citizens of South Africa safe and informed?
The PoPI Act
The PoPI Act prescribes certain conditions for the processing of personal information to be lawful. Personal information relating to a person’s health is considered to be special personal information, due to its sensitive nature, and a higher degree of protection is afforded to such information.
Unlawful processing of a patient’s medical information could result in severe penalties of up to R10 million in fines, and could even result in jail sentences (in some instances of up to 10 years).
Health Professionals Council South Africa (HPCSA) Guidelines
The regulations governing third party access to information are very similar for both the PoPI Act and the HPCSA.
The HPCSA Guidelines state that doctor-patient confidentiality is of paramount importance, in order to protect the interests of the patient.
The penalty for a breach of confidentiality can include sanctions by the HPCSA, a damages award to the patient of up to R10 million, and imprisonment for a maximum of 10 years.
The National Health Act
The National Health Act states that all patients have a right to confidentiality. This is consistent with the right to privacy, contained in the Constitution of the Republic of South Africa.
Notwithstanding the above, the National Health Act makes an important exception to the general rules of absolute confidentiality, set out in the PoPI Act and the HPCSA Guidelines. If the non-disclosure of a patient’s medical information would pose a serious threat to public health, then the medical information must be disclosed. For the disclosure to be justified, the risk of harm to others must be serious enough to outweigh the patient’s right to confidentiality and privacy.
A healthcare professional should first attempt to obtain the patient’s written consent, for the disclosure to be made. If this is not possible, the disclosure should still be made, but it should be as minimal as possible, and the patient’s anonymity must take preference.
Collecting important information about the spread of Covid-19, while also protecting the patient’s identity, is in line with both the PoPI Act, and the Constitution. In terms of the PoPI Act, information must be de-identified, as soon as it has been used for the purpose it was collected. The de-identified data can then be disclosed to the public, to keep them informed of the spread of the disease.
This is how the Department of Health can release statistics of infected persons, such as “A 48-year-old man in the Western Cape who travelled to Dubai” or “A 52-year-old woman in Gauteng who had travelled to Italy”. This data gives us vital information about the location, age, and gender of infected person, as well as how they contracted the disease, without infringing on the patient’s right to privacy.
A Covid-19 patient’s special personal information is also processed by many institutions, from the medical practitioner, to the Department of Health, and then to the World Health Organisation, without first being deidentified. This processing is lawful, as it is necessary for the proper performance of a public law duty. Also, in most cases, the patient will consent to this processing, in order to fulfil their own moral duty.
But what if a patient refuses to consent to testing, or to be quarantined? On 16 March 2020, the Department of Health was forced to launch an urgent application to the High Court, in order to trace 3 family members, 2 of whom tested positive for Covid-19, and who had refused to be quarantined. The remaining family member refused to be tested.
The High Court was required to weigh up the family’s Constitutional right to privacy, with the possible threat posed to the public health. In the end, national health prevailed, and the Court ordered that the family be traced, tested, and quarantined.
The general rule is that a patient’s right to privacy and confidentiality is paramount. During a national state of disaster, such as the one we face as South Africans today and for the foreseeable future, this right to privacy must be weighed against the risk of harm to the public health.
When the disclosure of infection statistics, and tracing of possible infected persons could save hundreds of lives (if not more), the PoPI Act, HPCSA Guidelines, the National Health Act, and the Constitution are in agreement: public health trumps the protection of personal information, and the right to confidentiality and privacy.