Data Protection during Health Care Emergencies

There are many myths about data protection, but the most dangerous is the one that says ‘data protection gets in the way of saving lives.’ This is false, but the misunderstanding of data protection rules has led some officials being reluctant to disclose important personal health data for fear of repercussions. It has also led critics to mistakenly insist that data protection laws are too prescriptive and governments should ease them to save lives. The truth is that our Data Protection (Jersey) Law 2018 permits disclosure of personal data in cases where it is deemed necessary for individual health and public safety.

The Law makes specific provision for the collection, use and disclosure of personal data by medical professions for medical purposes. It also permits the same for purposes of protecting public health. This means that in circumstances where an individual requires urgent medical treatment, anyone with custody of personal data relevant to that treatment may disclose it to a health professional. In addition, appropriate officials may process the health data of individuals for ameliorating a public health emergency.

If you have custody of personal health data and someone requests it for providing treatment to an individual or for managing a public health emergency, you can disclose it to them. All you need is for them to be able to demonstrate that disclosure of the personal data is necessary to preserve and protect health and that the requestor has the ability to fulfil that purpose. If you are unsure, consult your data protection officer or our office. If there is no time to consult anyone, it is likely better to err on the side of caution to save lives. As long as you operate in good faith to the best of your knowledge, it is unlikely that you will suffer any negative repercussions.

Most jurisdictions across the world have had data protection laws in place for as long as 30 years (Jersey enacted its first piece of data protection legislation in 1987). We have collective experience of what has worked and where there have been unintended consequences. We have shared those experiences and refined our legislation and approach to regulation and enforcement accordingly. As a result, our data protection laws are sensible and take into account virtually all of the circumstances where it is in the public interest to permit the processing of data. In any circumstance where you are in doubt, take the option that appears to be the most reasonable to you. It will almost certainly be the case that the data protection law will support that option. It certainly does where health and safety are concerned.