By: President Aigbokhan
The importance of privacy in our bureaucratically driven society can never be overrated but even then there are limits to the extent to which a free and democratic society can and should protect privacy interests. On the 20th day of July 2014, Patrick Sawyer a Liberian who contracted the Ebola virus on his way to Nigeria for help became critically ill on the flight and was rushed to the First Consultant Hospital, Obalende where he died on the 24th day of July 2014 and leaving Nigeria with the index case of Ebola virus. The name of the Ebola patient, the medical history, the name of the wife, the number of children and his workplace were shared in public space. In a similar circumstance, on the 24th day of February 2020, an Italian man arrived in Nigeria on a Turkish Airlines flight with coronavirus. The Italian though has been certified fit after some weeks is the first confirmed case of the coronavirus in sub-Saharan Africa and yet his identity is unknown and personal details were not disclosed. This privilege of physician and patient is also linked to some professional ethics such as confidentiality of disclosures between attorney and client as well as priest and penitent.
Under a balance of privacy and access to information, scrutiny of public institutions by individual citizens is encouraged while encroachment on private affairs of citizens by governmental institutions is discouraged. Importantly, the interest of an individual in preserving personal privacy must yield to the public interest in being able to subject the conduct of public affairs to scrutiny for there to be access. Healthcare providers are data controller and their liability for data breaches is strict. Before the introduction of the Nigeria Data Protection Regulation, the privacy of citizens was not under threat but administrative and judicial design was traditional. The main factor that accounts for Covid index case secrecy is the legal regime yet unlike many legal concepts, the liability for data breaches by health institutions has only been recognized by law and this is one work that establishes its legal basis.
The National Information Technology Development Agency (hereinafter referred to as “NITDA”) passed a regulation called the Nigeria Data Protection Regulation 2019 (hereinafter referred to as (“NDPR”). The prime purpose of NDPR is to safeguard the right to data privacy and prevent the manipulation of patient information. The NDPR binds and protects Nigeria and corporations registered in Nigeria or patronized by Nigerians (local and international). Very importantly, the NITDA Act and the regulation effortlessly ended the unregulated regime of patient data processing and disclosure. The regulation does not only create a right of protection for patients or other individuals but also makes health administrators more accountable for their business practices.
Healthcare providers are data controllers of their patients’ information and records. Patient privacy means that information in the custody of health institutions held about the institution should be accessible to him or her only and the institution in the custody of the information or record should protect the patient’s information from third parties. Healthcare institutions have a duty to secure patients’ health records within the guidelines provided in the Nigeria National Health Act 2014 (hereinafter referred to as “the Act”) and the regulation as it sets a baseline of protection for patients’ identifiable health information.
The regulation grants patients the choice as to whether their health information may be disclosed which includes treatment, payment and health care operation plan. Generally, the regulation requires healthcare providers to obtain a patient’s written consent before they disclose the health information to other people and organizations. Informal institutions like civil society groups and media are relevant in achieving the goals of NITDA and more importantly the protection of the privacy rights of Nigerians. Civil society groups and media have remained relevant in the actualization of good relationships between the government and its agencies on the one hand and the government and the general public on the other hand.
Patient’s data or information is the property of the patient and the right is recognized as a fundamental right to privacy under the Constitution, health-related information is one of the most sensitive kinds of personal data. The regulation broadly defined personal data as any information relating to an identified or identifiable natural person. Patient’s privacy is guaranteed where his/her medical records or information like name, address, photo, email address, phone number, bank details, posts on social networking websites medical information etc is not disclosed to third parties. Some categories of healthcare information fall within the scope of a privacy interest under the Freedom of Information Act and NDPR and some others are public information that should be accessed by members of the public. The first common law recognition of a citizen’s right to privacy against the state is in the case of Entick v Carrington (1765) 95 ER 807 where it was held that the Crown committed trespass if it entered private property without a lawful basis for doing so. The right was first pronounced in Nigeria in the case of Minister of Internal Affairs v. Shugaba Darman (1982) 3 NCLR 915 where the Court held that the deportation of the applicant back to his country is a breach of his right to privacy.
Patient information is becoming increasingly important and so the darkness around the identity of the Italian index case of Covid 19 is backed by law, policy and good conscience. Privacy protection has not been traditionally afforded the high priority it deserves particularly in the health sector. Much of patients’ information in Nigeria is with private hospitals with maximum independence and minimum privacy policies and values. The Freedom of Information Act 2011, Nigeria National Health Act 2014, National Information Technology Development Agency Act 2017 and Nigeria Data Protection Regulation (NDPR) 2019 complement one another in privacy administration in Nigeria. Similarly, the African Union Convention on Cyber Security and Personal Data Protection 2014 also protects patients from automatic processing of their data. The convention aimed at the regional level to protect and promote information collected and recorded either by the government or by the private sector.
A patient can apply for health records. A patient’s access to their record can be for reviewing, amending, correcting or deleting personally identifiable information. Max Schrems, an Austrian lawyer pursued a case against Facebook for the right to access the personal information collected about him. The application was brought under the European Data Protection Directives which established a right to access personal data held by companies. The application was granted and he received far more information than he ever thought. It must be noted that a health administrator can refuse to treat a patient who discloses false personal information or refuses to disclose his details that are relevant save is a psychiatric patient (Section 11 (3) of the Nigeria National Healthcare Act 2014)
The transition from paper to computer-based record keeping in the health sector promises greater efficiency and cost savings but with increased concerns about the threat to patient privacy in the course of data processing. The regulation sets out the conditions under which patient data can be processed. In practice, it applies to the processing of personal data by Nigerian and non-Nigerian health administrators where such processing is in the context of monitoring the behavior of patients. Processing means an operation performed on personal data and it applies also to data storage or retention. Forms of processing include collection, storage, retrieval, reviews, disclosure by transmission, dissemination, restriction or destruction. Processing of data is lawful if the patient has given consent to the processing of his or her data for one or more specific purposes or if the processing is necessary for the performance of a contract to which the patient is party or to take steps at the request of the patient before entering into a contract.
The key grounds for processing patient data relevant to health investigation are consent, legitimate or public interest. The requirement to attain specific consent of patients for each singular purpose of use is likely to be cumbersome. Relying on patients’ consent to process its data, is considerably more difficult under the NDPR. Consent will not be valid unless it is: freely given, specific and unambiguous. As a result, processing can be carried out under a different ground of the regulation where possible. The patient must freely, informed and unambiguous consent to the processing of his data. No data shall be collected unless the specific purpose of collection is made known to the patient. Before collecting patient data, the health administrator must provide the patient with the identity of the hospital management, details of data protection officers and the purpose of the processing for which the personal data are intended as well as the legal basis for the processing and the period for which the personal data will be stored.
Health administrators protect the information of patients and other individuals who are not patients of the care provider but make enquiries about the services of the institution. A health administrator who has access to the health records of a patient may disclose such personal information to any other care provider, person or health establishment as it is necessary for any legitimate or public interest purpose where in the circumstance of the case disclosure or access is in the interest of the patient or the public. Aside from consent, the legitimate interest condition is usually the most relevant condition when conducting investigations of patients. An important factor in undertaking the balancing test under the legitimate interest condition is to assess whether the patient would reasonably expect the type of processing.
Personal medical information may be disclosed to health professionals who are involved in patient care. This is because the information is generally made available to other health professionals and health service providers who are involved in his care but the health administrator is liable for the mishandling of the information even when the handler is a consultant (Article 2.4 of NDPR). It is important that patient collection and processing of privacy policy must be placed conspicuously on a board in the reception or on the website of the institution in a way that patients in the locality or targeted patients can reasonably be said to understand.
The regulation applies to hospitals that are established in Nigeria and Nigerian citizens who live outside the country. Most of the major data processors such as Google, Facebook, Whatsapp and foreign hospitals like Flying Doctors, Primus International Super Specialty Hospital, Reddington Hospital, Dr. Hassans Hospital, and Apollo Hospital with offices in Nigeria and abroad are bound by the regulation regardless of whether the personal data of the patient it processes is Nigeria or not. Similarly, the regulation applies to hospitals where Nigeria goes to take treatment abroad. These hospitals must file compliance reports with NITDA under the regulation. Because of Nigeria’s mutual legal assistance agreement with most countries, NITDA can collaborate with the Attorney General of the Federation to go after foreign health administrators who breach the data of patients if the need arises. Personal health data intended for processing outside Nigeria can be transferred under the supervision of the Attorney General of the Federation and the Attorney General must ensure that the data is secured. In the absence of any decision of the Attorney General as to the adequacy of safeguards in a foreign country, a transfer of personal data to a foreign country can proceed where it is in the interest of the public or on the approval of the patient or the transfer is necessary for the performance of a contract between the patient and the health institution.
Both under the Nigeria National Health Act of 2014 and NDPR of 2019 information concerning a patient’s health status, investigation, treatment, health insurance or stay in a health facility is strictly confidential (Section 27 (1) of the Health Act). In teaching hospitals, a health administrator with the consent of the patient and relevant health research ethics committee can use the photographs or audio-visual recordings of the patient for research, training and teaching. But where the research or teaching requires no identifiable details of the patient no authorization is required. Patient information is gathered, stored and used for patient care, medical and research by health administrators but not without some challenges. Personal data are easily available and could be unjustly obtained by anyone than ever before and this inalienably exposes the health administrators to liability. A personal data breach means a breach of security leading to the unlawful or accidental destruction, loss, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed.
Under the Health Act, breach of privacy is an offence punishable with imprisonment, fine or both for failure to audit the institution and lodge an annual privacy audit with NITDA annually. Nevertheless, a breach of the regulation is constructed as a breach of the provisions of the NITDA Act of 2007 and the complainant cannot file a suit at the court without exhausting the remedies at the administrative panel of NITDA. Under the law, health administrators indemnify health workers for out-of-pocket expenses or legal fees incurred in the course of their defence where the suit or claim is in favour of the caregiver and its official. With the new high-speed technologies, it is easier to gain personal data and national secrets through cyberspace and multimedia. Personal health record attracts greater protection and liability than ever before. Health administrators should minimize the amount of personal information of patients collected although in most cases it will be difficult to completely remove the possibility of collecting this type of data.
President Aigbokhan is the founder of FOI Counsel and can be contacted via president@foicounsel.com or +2348032683434