Monday, 30 March 2020
I keep seeing private information about COVID-19 patients circulating on social media… is there a law to stop this from happening?
Interestingly, I have been thinking about this topic since the Opposition Leader, Kamla Persad-Bissessar, released information on the first COVID-19 related death in Trinidad & Tobago a couple weeks ago… and then again when apparently that same person’s medical history was later circulated on social media.
It was clear that the medical information I’m referring to (and I assume you are as well) could have only originated from the person’s confidential medical record, and thus shared by a medical professional. And if that medical professional was a doctor, they would have acted in breach of the Medical Board of Trinidad and Tobago Code of Ethics in the Practice of Medicine.
In addition to that specific breach for a doctor, and for any other medical professional who could have released the information, for privacy laws in Trinidad and Tobago, we have the Data Protection Act 2011:
4. The object of this Act is to ensure that protection is afforded to an individual’s right to privacy and the right to maintain sensitive personal information as private and personal.
Section 2 defines the term “sensitive personal information” to mean information on a person’s–
(a) racial or ethnic origins;
(b) political affiliations or trade union membership;
(c) religious beliefs or other beliefs of a similar nature;
(d) physical or mental health or condition;
(e) sexual orientation or sexual life; or
(f) criminal or financial record;
For a breach of patient confidentiality by doctor employed at a public institution, a person may be able to place that liability on the hospital/regional health authority:
40. (1) A public body shall not process sensitive personal information unless it obtains the consent of the person to whom that sensitive personal information relates.
But if there’s a breach of the doctor-patient confidentiality in the doctor’s private capacity, the following sections should apply:
69. A person who—
(a) collects, retains, manages, uses, processes or stores personal information in Trinidad and Tobago;
(b) collects personal information from individuals in Trinidad and Tobago; or
(c) uses an intermediary or telecommunications service provider located in Trinidad and Tobago to provide a service in furtherance of paragraph (a) or (b),
shall follow the General Privacy Principles set out in section 6 in dealing with personal information.
Those General Privacy Principles are:
6. The following principles are the General Privacy Principles which are applicable to all persons who handle, store or process personal information belonging to another person:
(c) knowledge and consent of the individual are required for the collection, use or disclosure of personal information;
(e) personal information shall only be retained for as long as is necessary for the purpose collected and shall not be disclosed for purposes other than the purpose of collection without the prior consent of the individual;
(g) personal information is to be protected by such appropriate safeguards having regard to the sensitivity of the information;
(h) sensitive personal information is protected from processing except where otherwise provided for by written law;
With all that being said, these are the penalties for breaching the provisions of the Act:
95. (1) A person who commits an offence under this Act is liable upon—
(a) summary conviction, to a fine of not more than fifty thousand dollars or to imprisonment for a term of three years; and
(b) conviction on indictment, to a fine of not more than one hundred thousand dollars or to imprisonment for a term of not more than five years.