16 February 2019

Does Singapore's Ministry of Health deserve immunity for data breach?

Singapore's largest data breach happened in July 2018 when a government hospital became the target of cyber-hackers. It is believed the hackers were after the medical data of Singapore's prime minister and cabinet colleagues. There was an inquiry and the local privacy watchdog, the Personal Data Protection Commission (PDPC) fined the hospital and its technology vendor a total of S$1 million.

Proving Karl Marx's dictum about history repeating itself as a farce, Singapore's second largest data breach happened in 2016 when the ministry's very own HIV registry data was downloaded by Mikhy Farrera Brochez, the same-sex paramour of Ler Teck Siang, the head of its National Public Health Unit, but was only disclosed last week.

Why wasn't the public and the patients on the HIV registry informed in 2016? Why is the public and the patients on the HIV registry informed only now? The minister of health, Gan Kim Yong, explained in parliament the ministry made the right call because in 2016 the police thought they had deleted all copies of the HIV registry data from his devices. Since there was no evidence the data had been published, there was no need to inform those affected because informing them would cause distress and emotional harm.

Surprisingly, the minister suggested affected PLHIV could sue the ministry if they felt it made the wrong call.

Now that's a ministry of health clown show
Throwing the gauntlet?

The minister's advice comes across as unfortunate at best, and a passive-aggressive challenge at worst.

We assume that the minister was serious when he presented his ministry's perplexing decision to keep the breach under wraps as the result of a "judgement call" weighing principles of transparency and timely disclosure against the interests and well-being of the patients (i.e. the preference for anonymity and not to be identified as having a positive HIV status).

But how can PLHIV sue the ministry in civil court? They'd have to prove locus standi, which means they must be willing to be named and identified as PLHIV. That is a high, even punitive price to pay, to seek redress wrong and harm for which the ministry may be partially or fully at fault, due to its possible mishandling of the breach in 2016.

And why should PLHIV be made to take a civil suit against the ministry, when there's a Personal Data Protection Commission that should by right convene an investigation and mete out fines? Has the PDPC stopped existing? Or does the Ministry of Health, as part of the government, have immunity from the PDPC? That would be a perverse state of affairs indeed, if an organ of the state is immune to the same processes and oversight that the SingHealth group was subjected to, for an ever-so-slightly-smaller data breach.

Did Donald Low give the Ministry of Health a free pass?

Former senior civil servant and ex LKYSPP dean Donald Low suggests that the Ministry of Health should be given immunity.
I think we can accept the Minister for Health’s explanation that his ministry made an honest “judgement call” not to inform the affected patients of the data breach back in 2016, and that it was not unreasonable for them to assess then that putting out the information would have caused more harm than good.
We at Illusio believe Low's communique is little more than weak hand-waving. Just because the ministry made a judgement call doesn't mean it should be absolved of blame if it were found to have made the wrong call. In what way was the reasoning as laid out by the minister "not unreasonable"? Low offers no explanation, no yardsticks, no existing standards or guidelines to measure the correctness of the ministry's decision or the harm done to the PLHIV in the registry.

Readers will recall that in our discussion on the declassification of intelligence documents, the MI5 in the UK voluntarily and selectively releases historical intelligence reports to the National archives, but the minister is entitled to refuse declassification in the interests of national security, as long as the minister enters into (classified) record that he has indeed weighed the factors made a judgement call.

Note that the minister himself did not cite national security as the ministry's reason to withhold disclosure of the breach. Low's suggestion, with the implication that it is entirely appropriate for the Ministry of Health to apply a purely political calculus to manage a crisis where it should instead have applied healthcare (as its domain of regulation and expertise) or data governance principles (as the situation fell under), is either pure stupidity or administrative arrogance.

How should the Ministry of Health have acted then?

The Ministry of Health is not a healthcare provider; it does not treat the PLHIV on its HIV patient registry. Hence the Bolam-Bolitho test does not apply. Whether the Ministry of Health can be taken to civil court or just simply thrown the book by the PDPC simply depends on 3 basic tort principles:

What was the duty of care owed by the ministry to PLHIV on its HIV registry?
Did the ministry's actions measure up or fall short of the duty of care owed to PLHIV?
Would other reasonable, responsible, respectable bodies have made the same decision in its position?

We note that Singapore's HIV registry is a name-based registry which includes confidential information like "addresses, HIV status and other medical information" of PLHIV resident in Singapore, whether they are Singapore citizens, PRs, or guest workers.

The NHS in the UK has this to say in its 2007 guidance on data governance: holders and controllers of confidential patient information have a common law duty of confidentiality to these patients. They have a duty of care to facilitate and maintain the confidentiality of patient records. Applying the common law duty of confidentiality, the NHS and the Department of Health and Social Care advise that "if information is inappropriately disclosed, the individual can take legal action for breach against the public body concerned." On a design level, the Information Commissioner's Office (a far stronger version of Singapore's PDPC) is to be notified by the organisation's IT head or equivalent whenever confidential records are processed, and it must be notified when breaches have occurred, and it is the arbiter of whether a public authority has properly dealt with a breach.

The Information Commissioner's Office advises that in the event of a data breach:
If a breach is likely to result in a high risk to the rights and freedoms of individuals, the GDPR says you must inform those concerned directly and without undue delay. In other words, this should take place as soon as possible. Example: A hospital suffers a breach that results in an accidental disclosure of patient records. There is likely to be a significant impact on the affected individuals because of the sensitivity of the data and their confidential medical details becoming known to others. This is likely to result in a high risk to their rights and freedoms, so they would need to be informed about the breach.
And here we have it. A reasonable, respectable, and reputable institution on the level of Singapore's Ministry of Health would have made the entirely opposite decision that Mr Gan Kim Yong defended and rationalised in parliament as a good judgement call.

But was there a real, high risk to the rights and freedoms of the PLHIV when Brochez helped himself to Singapore's HIV registry? Instead of calling in the information and privacy watchdog and experts on this matter, the police were involved. Their lack of expertise in this matter (and inappropriateness as an investigation authority in this matter) is evident, when they judged that because the data was wiped from Brochez and Ler's devices, there was no real risk of the confidential information getting leaked into the wild.

Yet cybersecurity experts advise, consistently across the board, that if data is breached, even if you cannot tell if it has been published elsewhere, you MUST assume it has already been stolen. The genie is out of the bottle. And what was the HIV registry data that was breached? Names, contact details, residential addresses, other medical records.

It is self-evident that the Ministry of Health has failed to deliver the duty of care expected to the PLHIV in its actions following the breach:

1. Failure of timely disclosure
2. Failure to report breach to the PDPC
3. Failure to design a proper data governance and post-crisis procedure, both of which were recommended by the World Health Organisation National eHealth strategy toolkit
4. Usurping the PDPC's oversight, leading to the wrong organisations coming to the wrong conclusions based on applying wrong sets of considerations

How can things be set right?

If the 2018 hack of SingHealth records didn't illustrate the need clearly enough: Singapore's healthcare industry and its own healthcare regulator both lack a competent data governance model, even though Singapore may have competently carried out its national campaign to digitise healthcare records.

It appears that the PDPC was not designed to be an integral part of active data governance, nor part of crisis and breach management.

As the HIV registry contains not just the details of Singapore citizens but foreign nationals who were resident in Singapore, the fallout cannot be easily contained. Foreign governments, especially European states under the extraterritorial scope of the GDPR regime, have a whip hand against the Singapore government especially if the Ministry of Health is seen to be excused from accountability, responsibility, and even the requirement of competence in this matter. Such an egregious series of lapses require real and overreaching remedies.

We at Illusio therefore recommend a redesign of the structure of data governance, as well as for the PDPC to be beefed up and empowered as a fully fledged information commission. Further, we recommend parliament pass legislation mandating mandatory disclosure for data breaches, along the lines of the Australian model.

Instead of giving his ministry the all-clear, minister Gan Kim Yong should convene an independent inquiry, refer the breach to the PDPC, and allow the PDPC to set whatever fines and restitution it sees fit. And hopefully Mr Gan, as minister in charge of the ministry which has spectacularly failed in its duty of care to PLHIV, should offer his resignation to the prime minister after the end of the inquiry and the PDPC hearings we recommend.

No comments: