1. Confidentiality and the right to privacy

 

Doctor-patient confidentiality is one of the cornerstones of the medical profession. Sections 12 and 14 of the South African Constitution protect this right as well. Section 12 relates to freedom and security of the person (the right to have control over one’s body and information about oneself) and section 14 entrenches the right to privacy. Inferences drawn from personal information such as names etc. as to the race or any other characteristic of the patient may amount to claims of unfair discrimination under section 9 of the Constitution, especially as persons also have the right to self-identify.

 

Other relevant documents supporting the sanctity of this principle is Ethical Rule 20 of the Rules specifying the acts or omissions in respect of which the Council may take disciplinary steps promulgated in terms of the Health Professions Act of 1974 and the SAMA Code of Conduct. The Declaration of Helsinki of the World Medical Association also entrenches the principle of informed consent in relation to medical research. The new proposed WMA policy on health databases (attached) includes strict provisions in relation to the protection of privacy. One of the most recent proposals of the Medical and Dental Board on patient records on CD includes reference to “effective safeguards against the unauthorised use or retransmission of confidential patient information”.

 

2. Information requested by a third party

 

The Promotion of Access to Information Act of 2000 states that any person can request information from a private body if s/he can show that s/he requires that information for the exercise of their rights. When requesting information held by a public body, the requester need not show that s/he requires the information for the protection or exercise of their rights. The person or body from which the information is requested, must refuse such information if it amounts to an unreasonable disclosure of personal information about a third party, unless the person has consented to that information about him/herself being made available to a specified third party under specified situations. This includes patient records (names, ages, gender, diagnoses, treatments, etc.). Even where a decision is made that regards the disclosure as “reasonable”, the person divulging such information may still be challenged on the alleged “reasonableness” of the disclosure AND for a breach of sections 12 and 14 of the Constitution.

 

3. Information volunteered

 

Where there is no request for information (i.e. the Promotion of Access to Information Act does not apply) and the medical practitioner voluntarily tenders information about his/her patients to a third party, such as the Cancer Registry, the medical practitioner may still be liable for breach of confidentiality and/or a breach of the constitutional rights set out above. Again the practitioner has to obtain the informed consent of the patient. A solution may be in the drafting of a leaflet that contains information on the register (or research) which can be used in the process of obtaining consent from the patient. This should include the nature of the registry (or study), the uses of the information, the rationale behind- and the importance of inclusion in the register (or study). Guarantees as to confidentiality, de-identification, uses of the register (or research) etc. should also be included in such a leaflet and session.

 

4. Violations sanctioned by law

 

Violations to the right to privacy or freedom and security of the person may only occur if authorised by a law of general application, and if proven to be reasonable and justifiable in a democratic society based on freedom, equality and human dignity. This means that an existing legal principle must be found on which such research or registry must be based. In the absence thereof, government and parliament should be lobbied to pass such a law. Such a law, however, will still have to protect the identity and dignity of patients and is likely to entail a number of provisions similar to those found elsewhere in the world.

 

5. Conclusion

 

It is our advice to our members (and others requesting our view) that information, however de-identified it may be, may only be given to and used by third parties with the express and written consent of the patient. This is to avoid possible litigation by members of the public and/or patients whose personal information has been used in ways different from those that it was given for. Consent can be obtained “afterwards” (i.e. after the patient was seen but before the information is given to the third party (researcher, register or similar)). We therefore advise all researchers to request the medical practitioners from whom they acquire patient information to obtain the necessary informed consent of such patients. In the absence of case law on this matter doing differently will be risky. In relation to research, any person may choose not to take part in any type of research, persons may have religious/political/conscientious objections in being part of a research project or being part of a project conducted by certain researchers or being funded by certain funders.

 

It is also the position in most comparative jurisdictions that not even de-identified information may be used without the patient’s consent. In most countries comprehensive Health Data Protection legislation is in place to protect the privacy of patients.

 

Elsabé Klinck

Human Rights, Law and Ethics

SA Medical Association

11 June 2001

 

These documents do not constitute official SAMA policy.

It is, however, the opinion of the legal department

and is provided without prejudice.