We at Illusio believe Low’s communique is little more than weak hand-waving. Just because the ministry made a judgement call doesn’t mean it should be absolved of blame if it were found to have made the wrong call. In what way was the reasoning as laid out by the minister “not unreasonable”? Low offers no explanation, no yardsticks, no existing standards or guidelines to measure the correctness of the ministry’s decision or the harm done to the PLHIV in the registry.
Readers will recall that in our discussion on the
declassification of intelligence documents, the MI5 in the UK voluntarily and selectively releases historical intelligence reports to the National archives, but the minister is entitled to refuse declassification in the
interests of national security, as long as the minister enters into (classified) record that he has indeed weighed the factors made a judgement call.
Note that the minister himself did not cite national security as the ministry’s reason to withhold disclosure of the breach. Low’s suggestion, with the implication that it is entirely appropriate for the Ministry of Health to apply a purely political calculus to manage a crisis where it should instead have applied healthcare (as its domain of regulation and expertise) or data governance principles (as the situation fell under), is either pure stupidity or administrative arrogance.
How should the Ministry of Health have acted then?
The Ministry of Health is not a healthcare provider; it does not treat the PLHIV on its HIV patient registry. Hence the
Bolam-Bolitho test does not apply. Whether the Ministry of Health can be taken to civil court or just simply thrown the book by the PDPC simply depends on 3 basic tort principles:
What was the duty of care owed by the ministry to PLHIV on its HIV registry?
Did the ministry’s actions measure up or fall short of the duty of care owed to PLHIV?
Would other reasonable, responsible, respectable bodies have made the same decision in its position?
We note that Singapore’s HIV registry is a name-based registry which includes confidential information like “addresses, HIV status and other medical information” of PLHIV resident in Singapore, whether they are Singapore citizens, PRs, or guest workers.
The NHS in the UK has this to say in its 2007 guidance on data governance: holders and controllers of confidential patient information have a common law duty of confidentiality to these patients. They have a duty of care to facilitate and maintain the confidentiality of patient records. Applying the common law duty of confidentiality, the NHS and the Department of Health and Social Care advise that “if information is inappropriately disclosed, the individual can take legal action for breach against the public body concerned.” On a design level, the Information Commissioner’s Office (a far stronger version of Singapore’s PDPC) is to be notified by the organisation’s IT head or equivalent whenever confidential records are processed, and it must be notified when breaches have occurred, and it is the arbiter of whether a public authority has properly dealt with a breach.
The Information Commissioner’s Office advises that in the event of a data breach:
If a breach is likely to result in a high risk to the rights and freedoms of individuals, the GDPR says you must inform those concerned directly and without undue delay. In other words, this should take place as soon as possible. Example: A hospital suffers a breach that results in an accidental disclosure of patient records. There is likely to be a significant impact on the affected individuals because of the sensitivity of the data and their confidential medical details becoming known to others. This is likely to result in a high risk to their rights and freedoms, so they would need to be informed about the breach.
And here we have it. A reasonable, respectable, and reputable institution on the level of Singapore’s Ministry of Health would have made the entirely opposite decision that Mr Gan Kim Yong defended and rationalised in parliament as a good judgement call.
But was there a real, high risk to the rights and freedoms of the PLHIV when Brochez helped himself to Singapore’s HIV registry? Instead of calling in the information and privacy watchdog and experts on this matter, the police were involved. Their lack of expertise in this matter (and inappropriateness as an investigation authority in this matter) is evident, when they judged that because the data was wiped from Brochez and Ler’s devices, there was no real risk of the confidential information getting leaked into the wild.
Yet cybersecurity experts advise, consistently across the board, that if data is breached, even if you cannot tell if it has been published elsewhere, . It is believed the hackers were after the medical data of Singapore’s prime minister and cabinet colleagues. There was an inquiry and the local privacy watchdog, the Personal Data Protection Commission (PDPC) fined the hospital and its technology vendor a total of S$1 million.
