By Jay Fedorak, Information Commissioner
Recent comment raised the issue of common misunderstandings as to whether officials may disclose personal data to assist in a health emergency. While some people attribute this problem to our local data protection legislation, the real issue is the persistence of misconceptions and myths about how the Law deals with health care situations. It is clear that everyone needs a better understanding of the rules.
The Law does allow officials to disclose personal data in all cases where it is necessary for individual health and public safety. This means that whenever an individual requires urgent medical treatment and is unable to provide or consent to the disclosure of their relevant personal data themselves, anyone in possession of that data may disclose it to an appropriate health professional. In addition, officials may use the health data of individuals to combat a public health emergency.
All health care professionals must understand that the Law explicitly allows them to collect, use and disclose personal data in health care emergencies. This requires that they receive adequate data protection training, or otherwise obtain the same level of understanding. They should never make decisions based upon hearsay, rumours or myths. If in doubt, they should consult their organisation’s data protection officer or our office.
It is also critical to demonstrate the importance of distinguishing the details that are necessary to protect someone’s health. In cases of contagious diseases, officials must determine the minimum level of detail required to ensure that the exposed individual can protect themselves and others. The necessity of disclosing the identity of the virus carrier will depend on the circumstances of individual cases. The guiding principle of the Law is to ensure that the right people have access to the right information, at the right time, for the right purpose.
In devising our current data protection Law, the framers implemented plain language and common sense. Most of the provisions relating to health care emergencies have been in place for fifteen years. Nevertheless, ignorance of the law persists and that poses the real danger. The only way to avoid that risk is to create greater awareness as to what organisations can and cannot do with personal data.
This website contains specific guidance relating to data protection in health care emergencies and COVID-19 in particular at the Data Protection & Coronavirus Information Hub. I also urge anyone who is unsure about their data protection obligations during this unprecedented time to contact us via firstname.lastname@example.org or telephone 01534 716530, as we continue to work remotely during this crisis.