“The question of the right to privacy must be one of the defining issues of our time” (Salil Shetty)
As nations race against time to find a cure or at least contain the spread of Covid -19 questions are now arising to what extent should the right to privacy more so on health data be protected. One group of thought holds the view that the Government should disclose information to the extent of giving the name of the persons infected by Covid -19. This argument is founded on the view that the disclosure will cushion the spread of the virus as some persons who may have had contact with the persons will avail themselves for testing and the subsequent quarantine. The other school of thought states that health data should not be availed to the general public as it may lead to stigma associated with cases where persons health information are availed to the public.
The protection of privacy has been considered of sufficient importance to warrant constitutional protection under our Constitution. Article 31 of the Constitution recognizes the right to privacy which extends to the right not to have someone information or that relating to their family from being unnecessary required or disclosed. To give effect to Article 31, Kenya enacted the Data Protection Act, 2019 which further protects private information.
Section 2 the Act classifies health data as sensitive data that should, therefore, be collected and processed in a manner that upholds the principles of data protection under Section 25 of the Act. Furthermore, Section 46 requires health data to be processed by a Health Care Provider and by persons subject to the obligation of secrecy under any law. For the processing to be legal, it must be done for the public interest and by a person who owes a duty of confidentiality.
Section 11 of the Health Act 2017 further recognizes the need to protect information relating to a person’s health status treatment or stay in a medical health facility. These sections of the law in conjunction with the Doctor-Patient confidentiality principle provides a legal basis for the protection of health data which is sensitive.
But what happens when upholding privacy of the said data is against public interest and a threat to national security. Should processors of health data continue to hide behind the provision of privacy laws?
The answers to these questions can be traced firstly under Article 24 of the Constitution which recognizes that not all rights are absolute and some rights can be limited under the law. As it was held in JLN and 2 others vs. Director of Children Services and 4 Others Petition No. 78 of 2014.
The right to privacy is not absolute. Implicit in the protection accorded is that information relating to family and private matters must not be “unnecessarily revealed.” Indeed, counsel for the petitioner submitted that there are instances where the right to privacy in respect of the patient/client relationship may be abridged. He cited the case of W v Edgell  1 ALL ER 835 where Lord Bingham set out the principles under which a doctor may disclose the information held in confidence. The principles were as follows;
- A real and serious risk of danger to the public must be shown for the exception to apply.
- The disclosure must be to a person who has legitimate interest to receive the information.
- The disclosure must be confined to that which is strictly necessary (not necessarily all the details)
Secondly, Section 51 of the Data Protection exempts Data Processors from the principle of data protection if the processing is done for personal or household use, the said processing is necessary for national security or public interest and lastly if the said processing is a requirement of the law.
Thirdly, Section 11 of the Health Act recognizes the limitation of the right to privacy of Health data in instances where the court order such disclosure, informed consent for health research and policy planning.
The said requirement has also found backing in our court as our halls of justice recognises that the right to privacy more so of health data is not absolute. Hence in David Lawrence Kigera Gichuki vs. Aga Khan University Hospital  eKLR the courts set out 3 principles to be considered before health data is processed in a manner that would breach confidentiality. The Court opined thus:
The principles that emerge from the above considerations are therefore as follows:
- (i) That a medical practitioner or medical facility is under an obligation not to release confidential information about a patient without the patient’s knowledge or consent;
- (ii) That there are, however, circumstances in which the medical practitioner or institution may be required to release such information for valid governmental and public interest reasons;
- (iii) That a medical practitioner or institution may be required by law or a court order to release information about a patient without the patient’s consent
Because of the current pandemic that spreads through contact, the government may be forced to invoke these grounds as a base of disclosing health data to persons that have come into contact with an infected person. However, the said disclosure must be confined to that which is strictly necessary (not necessarily all the details). Therefore, the health ministry can lawfully and legally share patient information in public interest. This will go a long way in providing for a balance between the right to privacy and the government’s duty to protect its citizens, especially in assisting the government identify persons who might have had contact with persons suspected to have contacted Corona virus.
NOTICE: This article is provided free of charge for information purposes only; it does not constitute legal advice and should not be relied on as such. No responsibility for the accuracy and/or correctness of the information and commentary as set out in the article should be held without seeking specific legal advice on the subject matter. If you have any query regarding the same, please do not hesitate to contact the following Caxstone Phelix Kigata or Joseph Mugweru Muhuni at firstname.lastname@example.org or email@example.com.