.By Samson Morpurgo, Data Protection & Privacy Lawyer
These days, it seems like there is no governmental body in Israel that doesn't participate in the substantial effort against the coronavirus and attempts to prevent it from spreading. While the General Security Service helps locate people that might be infected, the Mossad (the national intelligence agency of Israel) uses its superior intelligence capabilities to find Medical equipment that many countries are competing for. In this patriotic atmosphere, it is no wonder that municipal authorities want to take part in the joint effort and act to protect their residents.
According to an article published yesterday (March 29, 2020) by Sivan Hilaie from Y-net, several Israeli mayors are demanding that the Ministry of Health reveal and disclose sensitive medical information to them: details about those infected with the virus, including their address, place of hospitalization and medical condition. The Ministry of Health is opposed to providing this sensitive information because it would violate medical confidentiality.
Once again, the extreme circumstances created by the coronavirus raise important questions about the right to privacy. In this case, the question should have been raised many years ago:
Does Israeli law permit the transfer of medical sensitive information ("MSI") about a person, without his or her consent, to save human lives or prevent the spread of an epidemic?
If you are expecting a widespread discussion referring to the relevant section of the Israeli Privacy Act that outlines appropriate and safe procedures for the disclosure of MSI, you may be disappointed. Believe it or not, the Israeli Protection of Privacy Law (PPL) enacted back in 1981 and has not received any significant amendments since 96'. Just to give some perspective, that's also the year when Bill Clinton was re-elected.
Section 1 of the archaic PPL states clearly: "No person shall infringe the privacy of another without his consent". While there is no dispute about the major importance of the consent element when it comes to privacy, the PPL lacks a section that would allow justified infringement on the right to privacy, when the public interest requires it. The legislature's oversight over the years to amend the PPL in this matter is incomprehensible.
In the United States, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) addresses that distinct issue. It permits certain organizations that keep MSI about a person to provide it to others when the public health and interest requires and justifies it – even without the person's consent. In particular when: "A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition…" sounds familiar?
The European General Data Protection Regulation (GDPR) also addresses the need to balance between the right to privacy of individuals and other important and/or public interests. It determines several scenarios that allow for the use (including disclosure) of personal information – even without the consent of the person in question. According to article 9(2)(g), it is permitted to do so when "processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject".
Would amend the PPL in a way that sacrifices the right to privacy for the 'greater good' in effect result in a denial of human rights? Is such an amendment desperately needed for the proper functioning of the municipal authorities? Those questions and more are awaiting a decision from the Israeli legislature. It is high time to refresh and revive this dusty legislation in one of the most rapidly evolving areas the law, and bring the PPL into the high-tech, media, and data-centered modern era.