Today’s question touches on confidentiality in these times of COVID-19 and is prompted by a FaceBook post were a person who claims to be a nurse working in a testing centre ‘recognised not one but two different ppl who had I had tested the previous day, out and about’ when they should be at home self-isolating pending the results of their test. The post in question goes on:
A part of my job is to maintain strict confidentiality of our patients which I have always done proudly. Breaching confidentiality could mean de registration and a loss of my career and lively hood.
However, I am at the point of absolute frustration, disbelief and saddened that ppl are not taking this seriously.
Therefore I have decided that if ANYONE has such a disregard for the rules, myself and my colleagues and decide to put our community and nation at risk I will not hesitate to report those ppl. If that means the loss of my career and lively hood then so be it!
My correspondent says:
The frustration you can clearly see in this local nurse is obvious, but I’m more interested in the legal side of things. Surely they aren’t any patient confidentiality issues here reporting someone breaching quarantine guidelines whilst waiting for COVID-19 test results as long as that report is done to the right places (ie. IE not suggesting a public naming and shaming on social media. An actual report to enforcement authorities) and in good faith?
I’d be interesting to hear your thoughts if this nurse would be in the ‘firing line’ in regards to her registration or employment should she take action.
There is some case law that says breaching confidence to prevent greater harm is OK. In W v Egdell  1 All ER 835 (a UK case) a psychiatrist was engaged to provide an expert opinion to support a person’s application for conditional discharge from a secure mental health facility. W was being detained after killing 5 people and injuring 2 others in a shooting incident some 10 years earlier. The psychiatrist wrote his report in essence saying that in his opinion the prisoner was dangerous and should not be transferred to a less secure unit in anticipation of eventual release. Not surprisingly the applicant’s lawyers did not like that report and chose not to include it in their submission. The doctor, on becoming aware that his report was not before the Mental Health Review Tribunal, took it upon himself to breach the patient’s confidence (remembering that he had been engaged on behalf of the prisoner/patient) by sending his report directly to the Tribunal. In an action for breach of confidence the court said the doctor’s actions were lawful. Sir Stephen Brown, President of the Court of Appeal said:
The decided cases very clearly establish:
(1) that the law recognises an important public interest in maintaining professional duties of confidence; but
2) that the law treats such duties not as absolute but as liable to be overridden where there is held to be a stronger public interest in disclosure.
In this case the public interest, and the limited nature of the disclosure, meant that W’s action for damages for breach of confidence was dismissed.
Compare that to the New Zealand case, Duncan v Medical Practitioners Disciplinary Committee  1 NZLR 513. Dr Duncan had concern about his patient’s fitness to continue his occupation as a bus driver. The doctor advised his patient to give up his job, which he refused to do. The doctor asked one of his other patients to help organise a petition to get his patient’s licence revoked. The patient complained to the Medical Practitioners Disciplinary Committee that found the doctor guilty of professional misconduct and imposed a fine. Rather than leave it there, and rather than appeal, the doctor went public on the national media (not a lot making news in New Zealand that week). Jeffries J said
There may be occasions, they are fortunately rare, when a doctor receives information involving a patient that another’s life is immediately endangered and urgent action is required. The doctor must then exercise his professional judgment based upon the circumstances, and if he fairly and reasonably believes such a danger exists then he must act unhesitatingly to prevent injury or loss of life even if there is to be a breach of confidentiality. If his actions later are to be scrutinised as to their correctness, he can be confident any official inquiry will be by people sympathetic about the predicament he faced. However, that qualification cannot be advanced so as to attenuate, or undermine, the immeasurably valuable concept of medical confidence.”
Ultimately Dr Duncan was struck off the register of medical practitioners.
The fundamental difference between the two was who they told; Dr Edgell told the Mental Health Review Tribunal, the body that needed the information and that had the authority to act; Dr Duncan, on the other hand told the world at large.
The Australian Privacy Principles that govern the obligation on government and health agencies say that information must only be used for the purpose for which it was obtained and impose limits on how information may be shared but there are exceptions. I’ll use the Privacy Act 1988 (Cth) as the model for my answer (as I don’t know what jurisdiction the original post or my correspondent comes from). The Privacy Act 1988 (Cth) sets out in Schedule 1 the Australian Privacy Principles. Australian Privacy Principle 6 deals with the ‘use or disclosure of personal information’ and I’ll assume without going through all the definitions that the fact that the person has undergone testing for COVID-19 and that the person who knows that only knows it because they were one of the health practitioners involved makes that ‘personal information’.
The Privacy Principles say:
6.1 If an APP entity holds personal information about an individual that was collected for a particular purpose (the primary purpose), the entity must not use or disclose the information for another purpose (the secondary purpose) unless:
(a) … or
(b) subclause 6.2 or 6.3 applies in relation to the use or disclosure of the information.
The release of information may be permissible where (s 6.2)
(b) the use or disclosure of the information is required or authorised by or under an Australian law …
(d) the APP entity is an organisation and a permitted health situation exists in relation to the use or disclosure of the information by the entity; or
(e) the APP entity reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.
Again without going through all the definitions I will assume that the entity conducting the testing is an “APP entity” (see s 6, definitions of APP entity, agency and organisation).
There is also permission to share information in the event of ‘permitted general’ or ‘permitted health’ situation (ss 16A and 16B). information can be disclosed (s 16A) where:
(a) it is unreasonable or impracticable to obtain the individual’s consent to the collection, use or disclosure; and
(b) the entity reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.
I think we could infer from the situation described that the person’s consent would not be forthcoming.
Where a person has failed to comply with an order made under the public health legislation in a particular state then there may be grounds to report that but care must be taken to report it to an appropriate authority ie someone authorised to take action under the relevant public health legislation.
For a registered health practitioner a cautious approach would be to report it back to their employer for them to arrange for someone to counsel the patient and make sure they understand their obligations before taking further action, but ultimately what is the best way to proceed would be a matter for the practitioner.