Lists of Covid names raise issues of public health vs private information

Apurva Vishwanath, Abantika Ghosh, Karishma Mehrotra
coronavirus names, private information, right to privacy, home quarantine, indian express news

Home quarantine is a must for those who travelled overseas.

A list of 722 names with purported passport numbers, cellphone numbers, addresses and travel history of each, is doing the rounds on social media. These are individuals “suspected of COVID-19 and are quarantined at home.” Similar lists for Bhopal, Bengaluru are being circulated, warning citizens to avoid contact with them.

While these lists cannot be traced to a source, some state governments, officially, have made public the disclosure of data of those under quarantine. Battling the spread of COVID-19 virus, such disclosures have raised concerns over balancing the imperatives of public health, doctor-patient confidentiality and the fundamental right to privacy during what is, effectively, a public health emergency.

In the absence of a national protocol or law, state governments are divided on the approach to take: while some states have put data in the public domain to better inform citizens, other states are making efforts to protect identities to avoid panic and to respect privacy.

For those under medical supervision, the Code of Medical Ethics, the mandatory regulations prescribed by the Indian Medical Council, bars disclosure of information relating to the patient learnt during the treatment except in certain cases. The exceptions include circumstances where there is a serious and identified risk to a specific person and /or community; and in the case of notifiable diseases. Diseases are “notified” by the state governments, allowing legal backing for intervention.

However, Ministry of Health guidelines for surveillance provide for sharing of patient/contact information with the state or district level surveillance units of the Integrated Disease Surveillance Programme — from the airport public health officer or any other authority that first comes in contact with them.

But there is no provision in these guidelines to make patient details public or even naming missing patients.

“This is not right in my opinion. Patient details can remain with the surveillance people for purposes of contact tracing etc. and then for the 28 days follow-up period. But in my opinion, it should not be made public. I am not aware of any guidelines to the contrary from the Ministry on this,” said Sujeet Singh, Director, National Centre for Disease Control.

While there is no law backing disclosure, legislation invoked to handle a public health emergency, the Epidemic Act, 1897, and the Disaster Management Act, 2005, provide legal immunity to action taken in “good faith” during this time.

In the US, public information about COVID-19 patients varies between states, with some publishing the admitted hospitals and resident’s municipalities and others leaving it up to counties to determine whether to disclose hometowns.

An overarching law — the Health Insurance Portability and Accountability Act (HIPAA) — provides certain patient privacy protections, but states also have their own specific laws. In the US, during public health emergencies, the Secretary of the Department of Health and Human Services (HHS) has the power to waive certain non-compliance penalties, which was done on March 15 amidst the corona outbreak. But still, disclosing patient names is a violation of the law.

In February, HHS reminded stakeholders to limit the disclosure to the “minimum necessary” amount and to seek patient consent before disclosing their cases to the media and non-care entities.

For contact tracing and ensuring social isolation, states are relying upon informing communities. Karnataka, for example, has published a district-wise list of those who are home-quarantined with travel details and exact addresses on the Department of Health and Family Planning’s website. Many states including Delhi, Gujarat, and Karnataka have instructed local authorities to label houses where individuals are quarantined.

Said Bhavin Solanki, medical officer at Ahmedabad Municipal Corporation (AMC): “We are putting stickers outside the homes of those home quarantined. This way, the neighbours remain aware.” AMC is also informing secretaries and chairpersons of such housing societies about those under quarantine and citizens are encouraged to call authorities on a toll-free number to inform them if anyone is found violating the quarantine.

However, West Bengal, which has put 26,914 peoples under home surveillance and 385 people in isolation, has not disclosed the identities of individuals or hospitals in which they are kept.

Ajay Chakraborty, Director of Health Services, West Bengal, said: “This is our social duty to keep secret those identities. Otherwise, this will create more panic. We are not disclosing the identity even to our family and friends.”

“Disclosures that are needed for contact tracing need to be restricted to public officials who are entrusted with enforcing the quarantine. Personal details must be masked when disclosed in public,” he said.

The Epidemic Act, under Section 4, exempts filing suits or legal proceedings against any action taken “for anything done or in good faith intended to be done under this Act”.

Similarly, the Disaster Management Act, under Section 73 also exempts “action taken in good faith” from all legal proceedings and under Section 74 gives legal immunity to government servants.

“Officers and employees of the Central Government, National Authority, National Executive Committee, State Government, State Authority, State Executive Committee or District Authority shall be immune from legal process in regard to any warning in respect of any impending disaster communicated or disseminated by them in their official capacity or any action taken or direction issued by them in pursuance of such communication or dissemination,” the provision states.

While these two laws exempt legal action, any action that violates fundamental rights must be sanctioned by legislation enacted by Parliament.

“If a data protection law like the Personal Data Protection Bill, 2019 was in force at this point in India, these activities could have been examined in a different light,” said Akriti Gaur, Senior Resident Fellow at the Vidhi Centre for Law and Policy.

In the Data Protection Bill, Clause 12 deals with processing personal data which is necessary for “prompt action”, i.e. processing personal data without the consent of the data principal in an emergency. Under the Bill, a data fiduciary (the government) can process personal data of individuals to respond to a medical emergency where the life of a data principal is at risk. It can also be processed for providing medical treatment or other health services to a data principal in the face of an “epidemic, outbreak of diseases or any other threat to public health”.

“The COVID-19 pandemic can fall under these categories. However, publishing names of individuals, along with their addresses on social media or in front of their houses is not necessary to ‘provide a health service’ or ‘medical treatment’. There are lesser privacy-invasive measures to ensure the health and safety of the community at large. This also puts families at risk of physical or emotional distress,” Gaur said.

If challenged in court, the government’s actions will have to pass the “proportionality test” prescribed by the Supreme Court in the landmark 2017 verdict that recognised the fundamental right to privacy. In the three-fold test, apart from whether the action was taken under a law duly passed by Parliament, the government will have to show it had a “legitimate state interest” to violate the right to privacy and it had considered all less intrusive measures before violating the right.