Patient Confidentiality in Saudi Healthcare
Chapter One Introduction And Background To The Study
…It is crucial not only to respect the sense of privacy of a patient but also to preserve his or her confidence in the medical profession and in the health services in general. Without such protection, those in need of medical assistance may be deterred…from seeking such assistance thereby endangering their own health (and)…that of the community. The domestic law must therefore afford appropriate safeguards so that there may be no such communication or disclosure of personal health data as may be inconsistent with the guarantees of Article 8 of the Convention.
Background of the Study
This thesis examines the adequacy of the existing legal safeguards for patient confidentiality under the Saudi Arabian legal system. Patient confidentiality can be simply referred to as the patient’s right to the protection of their personal medical information within health care institutions under normal conditions. The healthcare practitioner-patient relationship becomes more complex as a result of advances in informational technology and modern forms of communication which further involves the management of patients’ records. There is an increase in the use of information technology in managing patients’ private information in the Saudi Arabian healthcare delivery systems without a corresponding review in the law, dealing with patient confidentiality. The thesis argues that, even where a patient is entitled to the right to confidentiality under the law, the law ought to be dynamic to deal with the new challenges. The quote above by the European Court of Human Rights (ECrtHR) in Z v Finland, established that where patients are assured of their rights to both confidentiality and privacy, it will result in them having confidence in medical services as well as in seeking help from the healthcare practitioners (HCPs). The contrary will mean a lack of confidence in the medical services, which will be counter-productive. In Z’s case, the court restated the need for domestic law to afford appropriate safeguards for protecting the right of the patient to confidentiality. Z applied for relief to the ECtHR alleging that, her right to privacy under Art 8 of the Convention was infringed upon when her HIV status was disclosed by the media during her husband’s criminal trial. It is important to note, from the start of this discussion, the unique nature of the Saudi Arabian legal system before a discussion on how patient confidentiality is protected under that legal system. Saudi Arabia is governed under Shari’ah law principles. Given that, the Shari’ah is a body of divine law, it is in many respects different from man-made laws. Thus, the study reviews literature from both perspectives. It is also worthy of note that there is limited literature on the subject from a Saudi Arabian standpoint. The motivation for the research is borne out of the author’s personal working experience as an HCP. The author’s job role often requires the use of social media (platforms) and electronic information systems in communicating patients’ private information. Usually, the author and other team members engage one another via social media channels during the management of outbreaks of infectious diseases. Furthermore, the research aims to contribute to the development of a model for the protection of patient confidentiality in Saudi Arabia. This study, apart from maintaining the distinction between the concepts of confidentiality and privacy, focuses on the right to confidentiality, as opposed to an elaboration on the right to privacy. Thus, the study unties the knot around data protection/ confidentiality under the Saudi Arabia legal system vis-à-vis international best practice as exemplified in the system applicable in Europe. The study is, however, not a comparative research.
1.2 Research Questions and Objectives
Information technology (IT) revolution has improved the quality of medical care in many countries. Nevertheless, the increase in the use of modern information technologies in the care of patients around the globe presents a threat to the safety of patients’ private information. Therefore, this research addresses the overarching question: How adequate is the legal protection for managing patient confidentiality under the Saudi Arabian legal system? In order to tackle the above question, the study reviews human rights in patient care (especially as it relates to the right to patient confidentiality) and how this has been defined under the international human rights laws (IHRLs) and at the same time, it examines the legal framework for the protection of patient confidentiality in Saudi Arabia. The research aims to improve on the current framework for the protection of patients’ right to confidentiality in Saudi Arabia and to design a model that will be dynamic in the face of contemporary challenges to patient confidentiality, as a result of an increase in the use of information technology in the management of patients’ private data. For achieving this aim, the study identifies the following objectives:
To define what is meant by patient confidentiality and how it is protected by law;
To examine what lessons may be learnt from the IHRLs in so far as this is not incompatible with the Shari’ah;
To determine whether the current Saudi Arabian laws offer adequate protection for patient confidentiality in compliance with the triple test of legality, legitimate aim and proportionality;
To identify current challenges that impair the adequacy of legal protection for patient confidentiality and to identify gaps in the laws; and
To advance appropriate recommendations geared towards improving the protection for patients’ right to confidentiality in Saudi Arabia.
In pursuing these objectives, this study argues in support of a liberal interpretation of Islamic principles to advance the right to patient confidentiality.
1.3 The Contextual Framework
The Shari’ah, which regulates Saudi Arabia, is derived from the Islamic tradition. It ‘indicates the moral code and religious law of a prophetic religion…Shari’ah is all-embracing where it embodies acts of devotion (ibadah), commercial transactions (mu’amalah), political system (siasah), marriage or family laws (munakahat) as well as the concepts of offences, crimes…’ The Shari’ah places a high premium on and protects an individual’s right to confidentiality as well as privacy with a few exceptions. Furthermore, there are several regulatory protections for personal data that are spread across different legislations. Recent advances in IT and the use of social media platforms have opened up a new vista in the management of patients’ confidential information not only on the globe but also in the Kingdom of Saudi Arabia. In the same vein, the use of the internet among HCPs is on the increase. For instance, available statistics show that as of 2018, internet users in Saudi Arabia are around 30.25 million with about 25 million active social media users. Furthermore, out of the nearly 25 million persons those are active on social media, 18 million Saudis access social media platforms on their mobile devices. This number accounts for nearly 72 per cent of all social media users in the country. In the same vein, there is increasing use of smartphones with internet capability among HCPs in the Kingdom of Saudi Arabia. For instance, in a study on medical interns and final year medical students conducted at the Qassim University, Saudi Arabia, it was revealed that all 100 per cent of the participants own smartphones. However, 78 per cent of the participants claimed that they had never used their smartphones to share patient-identifiable data with colleagues (which carry a risk to patient’s confidentiality as well as privacy). Another study of mobile phone use among medical residents in Saudi Arabia, using a cross-sectional multicentre survey, showed that, 99 per cent of the participants were mobile phone users with no significant difference in use between male and female respondents. Aside the potential risk to breach of confidentiality due to the use of information technology being a global concern, the unique nature of the legal system in Saudi Arabia calls for concern due to the country’s conservative legal system. For example, in a survey conducted in the Middle East, it was reported that, the average cost of data breach in the Saudi Arabia and the United Arab Emirates (UAE) stood at $108.52 per capita. From the United Kingdom’s perspective, there have been crucial reports in the mainstream media with the headlines implicating HCPs for unprofessional conduct as a result of breaches of patient confidentiality on social media platforms. Here are a few examples: ‘Medical students’ cadaver photos get scrutiny after images show up online,’ and ‘Nursing students expelled from university after posting pictures of themselves with a human placenta on Facebook.’ Another reported HCPs abuse of social media was an incident involving five nurses who were fired for Facebook postings. Even though there is a dearth of decided cases involving breach of patient confidentiality, incidents like the ones mentioned above raise the risk of possible breaches of patient confidentiality in the care setting. This possibility is a thorny issue particularly for a jurisdiction such as Saudi Arabia. On the positive side, Saudi Arabia, despite being a conservative and culturally sensitive country, has witnessed spectacular progress in the healthcare and stands out among peers. Saudi Arabia is investing heavily in electronic healthcare information systems and aiming to build a single electronic health system in the year 2020. As a result of Saudi Arabia’s introduction of an electronic medical information system, the use of e-health involvement systems is becoming widespread.
Interestingly, patients in Saudi Arabia show increasing interest in e-health management, and are happy with the use of health information technology to manage their private data. A Saudi empirical study reveals that, nearly three-quarters of the respondents showed interest in the electronic health information system to manage their care. However, about an equal proportion (representing 67 per cent) expressed some concerns about the possibility of a data breach and they are worried for their personal health information being stored online.
1.3.1 The Healthcare Professional and Patient Relationship
It is not out of place to discuss the relationship between a patient and the HCP in a study on patient confidentiality. The HCP-patient relationship is an ancient one and has developed over time. Apart from the expectation that the HCP must have good interpersonal skills, be a good listener, be trustful, compassionate and caring, the HCP-patient relationship is a fiduciary one and requires utmost good faith and care. It is regarded as a relationship built on the concept of trust. Whilst there is no direct provision in the Qur’an or the Sunnah that deals with confidentiality of information obtained as a result of an HCP-patient relationship, contemporary Islamic scholars have interpreted the statement of the Prophet (peace be upon him (PBUH)) ‘the one whose counsel is solicited is the bearer of Amana (trust)’ to infer a duty of trust on HCPs who, in the course of performing their roles, assume a fiduciary relationship with their patients. Thus, by analogy, anyone who is entrusted with confidential information including HCPs, lawyers, bankers and accountants is under a duty to diligently guard the information received in the course of carrying out that duty. Akin to the Hippocratic Oath, Muslim doctors are required to take an oath not to disclose anything that they see or hear in the course of their engagement with the patients. The Hippocratic Oath, now referred to as the World Medical Association (WMA) Declaration of Geneva, reads in part thus: ‘I will respect the secrets that are confided in me, even after the patient has died.’ The Islamic Medical Association has on its part implemented a similar oath for Muslim physicians. Therein, Muslim physicians are required to state as follows: ‘Take this oath in thy name, the Creator of all the heavens and the earth and undertake to respect the confidence and guard the secrets of all my patients’ The right to patient confidentiality further promotes trust and confidence. Trust on the part of the HCP to protect the patient and confidence on the part of the patient to be able to disclose information about their private life. Furthermore, the right to confidentiality will aid the HCP to successfully understand the patient’s ailment, diagnose it and properly plan for the right line of treatment. HCPs must bear in mind, while dealing with the patients, that ‘trust is difficult to gain and easy to lose.’ Furthermore, confidential relationships must encourage openness, trust, frank disclosure of all the possible relevant information between the patient and HCP to enable the latter to successfully treat the patient’s disease or illness. Therefore, the legal protection of patient confidentiality is of utmost importance.
1.3.2 Ethical Basis of Patient Confidentiality
Whilst it is noted that the patient’s confidentiality is a matter of culture, society and legislation, it is also a professional duty for the HCP just like other persons, who have a fiduciary responsibility. Every HCP owe an ethical duty to protect their patient’s confidential information. From a consequentialist perspective, protecting patient confidentiality could potentially maximise good consequences by creating the trust in the patient to enable that the patient make full disclosure of health information which in turn, aids the HCP for making more accurate understanding about the patient’s ailment and to recommend a suitable treatment regimen. In order to build and sustain trust, virtue ethicists agree that the patient expects that the professional would respect the patient’s expectation that the HCP would keep the patient’s private information secret. On the other hand, from a utilitarian perspective, the concept of confidentiality is to maximise its utility by encouraging the patient to open up to the HCP and seek medical assistance. Therefore, as an act of utilitarianism, it could allow for a breach of confidentiality, if doing so, it would maximise its utility or right/duty-based that the fact that it allows for weighing of individual rights. In line with the common law, this appeals to the greater good for most people i.e. where it is for the public interest. Thus, there needs to be a balance when the private right to confidentiality should be withheld in the interest of the public. HCPs, as a matter of ethics, owe their patients a duty to keep the latter’s private information confidential. Based on the above, professional associations and regulatory bodies in the healthcare industry have created professional codes to guide their members. For instance, the Saudi Commission for Health Specialties has created a Professional Code of Ethics for Healthcare Professions. This code echoes the need to protect the patient confidentiality. In the same vein, in the UK, the General Medical Council and the British Medical Association have published core guidance outlining the professional and ethical obligations of the doctors to maintain both confidentiality and privacy of their patients in the care setting.
1.3.3 Legal Basis of Patient Confidentiality
The duty of an HCP to maintain patient’s confidentiality apart from being an ethical one is also a legal obligation. In an empirical study conducted in Saudi Arabia, a 26-item questionnaire was developed using the Patients’ Bill of Rights and Responsibilities. The questionnaire covered among others, demographic details, educational level, as well as questions regarding patients’ awareness, perception of availability and implementation of patients’ rights including the right to confidentiality. The results showed that, while majority of the patients were concerned of their rights, they rarely exercised their rights as patients. Under the Saudi law, any liability arising from breaches of confidentiality falls within the scope of legal liability. As a general rule, HCPs in Saudi Arabia are under a legal duty to respect confidentiality of their patients. If a patient’s private information is wrongfully disclosed and doing so causes some type of harm to the patient, they could have a cause of action against the healthcare provider for the issue of breach of confidentiality or other related torts. In other western jurisdictions, e.g., the UK, the right to confidentiality could arise as a result of the constitutional protection of privacy and confidentiality. It could as well arise as a tortious liability or a breach of legislation governing patient confidentiality rights. For example, under the common law, wrongful disclosure of confidential information could constitute a legal wrong. It could directly result a breach of contract, negligence, an equitable wrong or even a criminal offence. There is, in the same vein, a possibility of a breach of human rights or a professional code of practice. Where the physician-patient relationship is contractual, an implied term of the agreement is that the physician will maintain the confidentiality of disclosures that the patient makes for diagnosis or therapy. In other instances where HCPs are paid by the healthcare institution or the government or its agency without direct contractual ties with the patients, they may still owe an implied general duty of care to the patients. Therefore, a deliberate or negligent breach may make them liable for negligence. An aggrieved patient relying on a breach of the right to confidentiality may bring an action against the HCP or the employer.
Despite the various legal frameworks, there is now a universal legal test which can be applied under the IHRLs.
1.3.4. To Share or Not to Share? The Dilemma of the HCP
HCPs may find themselves in some situations entangled in a dilemma of whether or not to disclose a patient’s private information to others, who may not be involved directly in that patient’s care. Therefore, the duty of maintaining the patient’s confidentiality may conflict with the duty to inform a critical member of the health team for the continuum care to be effectively maintained. Under international human rights law, there is an imposed duty of confidentiality on persons responsible for handling or processing a patient’s sensitive information. The responsible person and those involved at any stage of the processing of such information are obligated to maintain the confidentiality of patients’ private data. This obligation shall remain even after ending the relationship with the data subject or with the responsible person. The right to confidentiality in Saudi Arabia is governed by the Shari’ah. Under the Shari’ah, the right to confidentiality is not absolute. The recognised exceptions include the cases in which the patient has consented to the disclosure or where doing so is in the patient’s best interest or public interest or where it is required by law or the cases in which the health of a spouse or the public is at risk, especially in the prevention of an infectious disease or crime. Contemporary Muslim jurists have based the exceptions on various juristic rules. These include ‘choosing the lesser evil or greater good is always the priority,’ and the notion that the ‘public interest overrides individual interest.’ However, the jurists did not disclose the modus for evaluating the degree of harm nor the distinction between major and minor harm, which are relevant factors for determining the ‘rightness’ or ‘wrongness’ of a breach in confidentiality as compared to the principles of probability and the magnitude of potential harm. In a fatwa, for instance, the jurists affirmed that, a breach of confidentiality may become justifiable, if the harm of maintaining confidentiality overrides its benefits by allowing the commission of lesser evil to avoid the greater one and for an overriding public interest, which favours enduring individual harm to prevent public harm or safeguard the public interest. It is imperative to note that, there is a dearth of literature, which provides clues to show when it is enough to justify a breach of confidentiality under Islamic law vis-à-vis, what is applicable under the IHRLs. For instance, the studies such as ‘AIDS and Confidentiality,’ ‘AIDS and a Duty to Protect,’ and ‘to tell or not to Tell: breaching confidentiality with clients with HIV and AIDS’ have created a slightly different view of the issue from that of the Islamic viewpoint. Furthermore, Islamic fatwas have not explored concerns about the disclosure of genetic information to third parties, an issue that is very important in modern medicine and which has been investigated by Western researchers. Nevertheless, the IHRL creates a relevant legal bridge between the Saudi and Western legal systems.
1.3.5 Sharing Patient Information in the Healthcare Team
There is a general presumption that a patient has given implied consent for sharing confidential information among health care team members. The multidisciplinary team or ‘circle of care’ as it is called in other jurisdictions that includes the individuals and activities related to the care and treatment of a patient and covers related activities such as laboratory work and professional or case consultation with other health care providers. Therefore, sharing of patient’s information among them has become imperative to ensure a smooth and rapid transition during the continuum of care. Where a statute provides for a statutory duty to disclose otherwise confidential information under some defined circumstances or allows for disclosure, it would not constitute a breach of confidentiality if disclosure ensues in such situations. Examples of statutory authorisations include the reporting of infectious diseases, where there is a serious risk to others, stating of the underlying cause of death in a death certificate, notification of birth and deaths and reporting of alcohol consumption related road traffic accidents. Other exceptions include the interest of improving patient care or in the public interest, creating a database for surveillance and analysis of health and disease, to prevent acts of terrorism, or for apprehending or securing the prosecution or conviction of suspected criminals. Despite the multiple possible legal bases, a single framework of evaluation can be enshrined under the IHRL.
1.4 The Significance of the Study
Apart from being an offshoot of the right to privacy, patient confidentiality is an integral part of modern society. Patient confidentiality plays a pivotal role in society. There is, therefore, a need to ensure that this right to patient confidentiality is upheld in the face of the increasing use of modern forms of information technology. The use of IT systems by HCPs poses a challenge to the protection offered by laws in conservative jurisdictions. The case of Saudi Arabia calls more for concern considering the nature of its unique legal system. Whereas the legal protection for patient confidentiality is robust and more elaborate in the West, there is a need to investigate how modern technology may affect patient confidentiality in a legal system such as Saudi Arabia’s as well as to offer recommendations. In Saudi Arabia, a breach of confidentiality is only a criminal offence. This is in contradistinction with what is applicable in other legal systems where a breach of patient confidentiality gives rise to both a criminal offence and a tortious liability. The literature review conducted as a part of this study that reflects the fact that, there is a dearth of legal writings on the right to patient confidentiality in the Kingdom of Saudi Arabia. This investigation is novel and unprecedented, as there has not been any doctrinal study conducted on the subject in Saudi Arabia. This research, therefore, is an attempt at evaluating the existing legal safeguards regarding the right as well as the duty for patient confidentiality in the Kingdom of Saudi Arabia. The study seeks to fill the gap in the literature by enriching the body of knowledge on the subject. There is currently no comprehensive law under the Saudi Arabian legal system that specifically provides for information confidentiality except some provisions scattered here and there under some legislation. Some of the legislation includes Article 40 of the Basic Law of Government which protects the privacy of communication and prohibits confiscation, delay, surveillance or eavesdropping except in cases provided by the law. In the same vein, the Telecom Act makes provision to protect information exchanged via public telecom networks. Furthermore, judicial precedents are not binding on lower courts in Saudi Arabia unlike what applies in the common law system. Thus, in Saudi Arabia, decisions reached in Saudi courts do not establish binding precedents in the Kingdom. As a result, there is no guarantee that a court below a superior court will decide a subsequent case with similar facts and issues as the previous case. This is because adjudication is strictly on a case by case basis and in line with the interpretation of the Shari’ah by the trial judge. Accordingly, Article 48 of the Basic Law of Government obliges the courts to:
…apply the rules of Shari’ah in the case that are brought before them, in accordance with the precepts contained in the Qur’an and the Sunnah, and regulations decreed by the ruler which do not contradict the Qur’an and Sunnah…
The above could potentially result in inconsistencies in the interpretation of the laws. It appears that, these impediments could significantly affect the patient’s access to justice. Other grey areas of the existing Saudi data protection laws include lack of statutory definition of the terms ‘personal data’ or ‘disclosure’. Furthermore, lack of requirement for a formal notification for registration before the processing of the data in Saudi Arabia as well as the requirement for registration before processing data in the country means that, there is no structured modality for reporting breaches of personal data under any law in the country. There is a need, therefore, to address these gaps to protect personal data in the country.
1.5 Theoretical Underpinnings
This research builds on two theories. These are the theory of human rights in patient care and the theory of human rights in Islam. These theories are briefly discussed below:
1.5. 1 Human Rights in Patient Care
Since this research considers the right to confidentiality in the patient care context, it is not out of place to consider human rights in patient care. Patient care deals with the prevention, treatment and management of illness and the preservation of physical and mental well-being through the services, offered by HCPs. Human rights in patient care refer to the ‘theoretical and practical application of general human rights principles to the patient care context.’ Human rights in patient care recognise that HCPs are important actors whose rights must be respected just as the right of the patient to receive services, which further meet with international standards set out in international and regional human rights norms and agreements. Confidentiality is crucial for patients seeking diagnosis and treatment of illnesses with which stigma is attached, such as HIV/AIDS and mental illness. From a standard point of international law, human rights in this context are two-way traffic. Furthermore, the right to privacy and confidentiality, which is the crux of this research, is provided for in the International Covenant on Civil and Political Rights (ICCPR) and Covenants on the Rights of the Child (CRC), which are accepted by Saudi Arabia. It is noteworthy that, these rights may be violated in any of the following situations:
Patient medical information is available to all staff;
Patients are forced to disclose their medical diagnosis to their employer to obtain leave from work;
Medical examinations take place in public conditions etc.
Building on the above, this study examines how a model can be structured to consider the above grounds. The interpretation and evaluation of the international human rights as exemplified by the ‘triple test’ has been selected for this study and, emphasis is placed on lessons learnt.
1.5.2 Human Rights in Islam
Given the peculiarity of the Saudi Arabian legal system, it is pertinent to consider the concept of human rights in Islam. Human rights in Islam are derived from divinity. The concept of human rights is not exclusively a Western Concept. There are numerous verses from the Qur’an that show that Islam has come to free human beings from any bondage. In Islam, human rights simply mean the natural rights, which have been ordained by Allah (God). Man enjoys these rights for being human. These rights are granted by God and not by any legislative assembly or king. It is noteworthy that, the recognition of the inherent dignity of human beings is unambiguously corroborated by the Qur’an. However, there is a need to identify possible mechanisms within Islamic law for the realisation of the practical implementation of international human rights in the domestic forum of Muslim states that apply Shari’ah or aspects of it. This stem from the fact that, under traditional Shari’ah, the early Islamic jurists addressed issues related to human rights within the general framework of rights and duties without codifying or listing specific human rights guaranteed by the Shari’ah. It is believed that, through a liberal interpretation of the Shari’ah, it is also possible to accept the idea of managing patient confidentiality as expressed in IHRL. This is because, as Viljanen puts it succinctly: “The necessary element of development of the international human rights in any context and by any actors, whether nationally, regionally or universally, is the interpretation in light of present-day conditions and requiring the increasingly high standard in the area of the protection of human rights and fundamental liberties correspondingly and inevitably requiring greater firmness in assessing breaches of the fundamental values of democratic societies.”
1.6 Research Methodology
This section discusses the approach, adopted for this research. It describes and the ways that the rationale for choosing the method for assessing the legal protection of patient confidentiality in Saudi Arabia. Following the research question formulated for the study which is: how adequate is the legal protection for patient confidentiality under the Saudi Arabian legal system? The study adopts a desktop library approach to provide a solution to the research problem, which identifies the fact that, an increase in the use of modern information technologies puts patients’ confidential data at risk. The study primarily focuses on the protection of patient confidentiality provided under the Saudi Arabian legal system. The research evaluates these laws, regulations and policies to reach a conclusion and make recommendations. The researcher adopts a legal research style. The methodology for the research is a doctrinal approach. Legal research makes a distinction between primary and secondary sources. However, there is a distinction between primary sources of law in the West and under Islamic law. In the West, primary sources of law include legislation, court decisions, and regulations that form the basis of legal doctrine. Secondary sources, on the other hand, are works which are themselves not law but which discuss and analyse legal doctrine. Under the Shari’ah system, on the other hand, the two primary and transmitted sources of law are the Qur’an (the revealed book) and the Sunnah (sayings and deeds of the Prophet (PBUH)). The combination of the two crucial sources is seen as a link between reason and revelation. The Qur’an is considered as the most important and sacred source of Islamic law. It comprises of over 500 legal verses that explicitly set out legal rulings that should be applied by believers. The Shari’ah broadly consists of the protection of one’s life, mind, offspring, religion as well as property. It is noteworthy that only limited legal rulings stated in the Qur’an and the Sunnah have a definitive nature. The body of Islamic law is contingent upon the views of Islamic jurists or the reasoning of the jurists referred to as Usul-al-Fiqh. While the Qur’an does not make any explicit or implicit legal provisions in a majority of areas, it nonetheless helps to support the system of Shari’ah. According to the Sunni schools of Islamic jurisprudence, the secondary sources of law are the consensus of the companions of the Prophet (PBUH). These are referred to as the consensus of commentators on a unresolved point of law. It is important, therefore, to note the difference(s) between the primary sources of law under the common law for instance and the Shari’ah. Upon identifying the difference between the legal system that can be applied in Saudi Arabia and those in the West in the first chapter of this thesis, the study begins with an introduction of the unique nature of the Saudi Arabian legal system and the need for protecting patient confidentiality given the increase in the use of information technology by HCPs. A comprehensive literature review follows in the succeeding chapters to analyse the legal protection for managing patient confidentiality both from the Western and Saudi Arabian point of views. Following from the above, the ethical practice for HCPs and human rights in Islam are identified as the conceptual construct upon, which the study rests. Furthermore, consequent upon the review of the literature, the research question, aim and objectives for the research were developed. The study adopts a doctrinal method of legal research to analyse legal sources. A large number of documents derived from primary and secondary sources were also reviewed. The primary sources are made up of the Qur’an, Sunnah and statutes while the secondary sources include the consensus of Islamic jurists, textbooks, journal articles, working papers, theses, newspaper articles and reports, magazines, government publications and other materials available via online sources. The study concludes with the findings and recommendations for practice and provides direction for future studies.
1.7 Research Plan and Structure
This study is divided into seven chapters. Each of the chapters is briefly described below:
Chapter One: This is a general introduction to the research. It describes the research problem, identifies the research question, justifies the research, introduces the literature, expounds on the theoretical framework on which the substructure of the study rests. Furthermore, the chapter states about the methodology adopted for the research and describe the structure of the research. The chapter also introduces the concept of confidentiality as it relates to the HCP.
Chapter two: The second chapter of the study presents a review of the concept and practice of patient confidentiality. The chapter identifies such aspects as patient confidentiality among HCPs. It discusses patient confidentiality both from Western and the Saudi Arabian perspectives. An attempt is made to introduce the reader to the practice in other jurisdictions as well as in Saudi Arabia. The reference to patient confidentiality in Western countries is to highlight the practice in those jurisdictions. The aim is not to draw comparisons but to show to what extent lessons can be learnt from the IHRLs to justify a liberal interpretation of the rules in Saudi Arabia. The triple tests for ascertaining whether the limitation of a fundamental right is justifiable are also introduced in chapter two of this thesis.
Chapter Three: Here the study reviews the Saudi Arabian laws on patient confidentiality within the context of domestic (Islamic) regional and international human rights law. The laws are examined to uncover whether or not they measure up to the standard required for protecting patient confidentiality in contemporary times given the increasing use of IT systems in healthcare practice.
Chapter Four and Chapter Five: The fourth and fifth chapters review and assess the adequacy of Saudi Arabian laws on privacy and confidentiality and those specifically dealing with patient confidentiality respectively.
Chapter Six: The sixth chapter reviews and assesses the available ‘soft norms’, which includes the professional ethics and codes as well as administrative regulations and other controls available to ensure adequate protection of the patient’s confidential data.
Chapter Seven: This chapter of the research discusses the new challenges to the protection of patient confidentiality especially the role and influence of the new information management technologies including social media platforms and electronic health information systems.
Chapter Eight: The final chapter of the study represents a summary of the findings, observations, conclusions and recommendations.
1.8 Scope, Limitations and Challenges Encountered
This thesis focuses on the legal protection to patient confidentiality under the Saudi Arabian legal system taking into cognisance evolving developments in information technology systems. The need for the law to catch up with the fast pace of technology is the bedrock upon which this study is built. While the focus of the research is not restricted to patient confidentiality in the use of electronic information system or the use of social media platforms, the scope of the thesis is limited in certain respects. Firstly, this thesis is concerned with the patients’ confidentiality and not the patient’s right to privacy per se. In other words, this research deals with data protection as against spatial privacy rights. Secondly, although confidentiality may be addressed through the prism of legal regulation, ethical self-regulation and privacy-enhancing technology, the study is about legal protection to patient confidentiality under the Saudi Arabian legal system. It is worthy of note as well that under the Saudi Arabian law of Healthcare Professions, the Ethical Code is embedded as being a part of the law to the extent that compliance with the ethic is considered as compliance with the law. Furthermore, while this study is not a comparative study, reference to international and regional instruments (e.g., the ECHR) is made for lessons that can be learnt that is not incompatible with the tenets of the Shari’ah. Besides, the research considers other areas of law outside the scope of the research topic to advance arguments. The study is limited by the paucity of literature from the Saudi Arabian perspective. The dearth of literature is compounded by the fact that some of the available literature is written in the Arabic language. Other areas of limitation include the non-availability of judicial precedents to use for the study due to the unique legal system in Saudi Arabia.
1.9 Conclusion
This chapter encapsulates the framework of the study. It introduces the reader to the unique nature of the Saudi Arabian legal system and the patient’s right to confidentiality. It is noted that whilst the right to confidentiality is an offshoot of the right to privacy, this research deals with the right to confidentiality and does not undertake a broad approach. The chapter examines human rights in patient care as well as human rights under Islamic law, as the bedrock upon which the study builds. Some points to note from the first chapter include the fact that human rights are not exclusively Western and that human rights can be traced to divine laws as it is indisputable that Islam provides recognition for human rights as one of the tenets of faith prescribed in the Qur’an and the Sunnah. The thesis argues for a liberal interpretation of the Shari’ah principles to accommodate human rights provisions in the protection of the right to patient confidentiality. Furthermore, the unique nature of the Saudi Arabian legal system means that there are no judicial precedents to rely on for the study as well the fact that there is a paucity of literature strictly from the Saudi Arabian perspective. The writer notes particularly that the increase in the use of new forms of information technology and the advancements achieved in the use of electronic healthcare management systems vis-à-vis the right of the patient to confidentiality makes this research germane. The chapter includes the research question, the aim and objective(s) for the research, the methodology adopted for the study, the research plan and structure as well as the scope and limitations for the research. The next chapter discusses understanding patient confidentiality rights as well as tests developed under the international human rights laws for the protection of human rights.
Chapter Two Understanding Patients’ Confidentiality And The Tests For Limitation Of Human Rights
2.1 Introduction
The second chapter of this thesis appraises the concept of confidentiality and the tests for the limitation of human rights. Various aspects, including the law relating to the right to patient confidentiality, are introduced and discussed in this chapter. The chapter also discusses the tests developed under IHRL for the limitation of human rights to show what lessons can be learnt to develop a Saudi Arabian model that is compliant with the tenets of the Shari’ah. This chapter introduces the gist of the study as well as develops discussion in successive chapters of the thesis.
2.2. Patient confidentiality or privacy?
As severally earlier on alluded to, the focal point of this research is on confidentiality rather than privacy. A bulk of this study centres on the duty of maintaining patient confidentiality and, the respect for the patient’s confidentiality is fundamental to the professional relationship between the patient and the healthcare professional. But many at times, we feel tempted to use the terms “privacy” and “confidentiality” interchangeably as if they bear one and the same meaning or connotation. The terms privacy and confidentiality are sometimes distinguished on the basis that privacy refers to physical matters, while confidentiality refers to informational material. According to the construction, it would seem to denote that, if a stranger walk into a consulting room and sees a patient being examined by a doctor, the patient’s privacy is violated, whereas if the same stranger later picks up the patient’s health record, confidentiality is violated. It might not necessarily be as simple as that. Although the two concepts were both derived from ethical principles of respect for the autonomy of persons, the desire to do good (beneficence), and the principle of trust, there is a distinction between the two, although, often seemingly unclear. In other words, a sort of distinction without difference, it could be argued that, while privacy of information is construed as a general concept, which further reflects both the individual and public interest in the ability to keep private information away from public view, confidentiality, on the other hand, it has to do with relationships and the rules that govern how information is shared within them. This section tries to clarify further that, although the two concepts bear similarities, there are significant differences in their definition and impact within the context of the professional relationship between the patient and a healthcare professional. Another significance of this section is to identify the focal point of Saudi Arabian protection to patient confidentiality, i.e., is it about privacy, or confidentiality, or a combination of both? Consequently, it is noteworthy at this point that, our focus is largely on data protection rather than physical privacy protection. It is, therefore, instructive to digress a little bit and review the concept, definitions and differences (and similarities, if any) between privacy and confidentiality to enable us buttress our choice of data protection as our focus as against privacy.
2.2.1. Privacy
Among all the human rights in the international catalogue, privacy is perhaps the most difficult to define. Not only is the difference between privacy and confidentiality blurred but defining the term ‘privacy’ involves even some more difficulties. No one knows what is meant by "privacy" because, perhaps, no single workable definition can be offered and that privacy may take different forms that are related to one another by family resemblances. For instance, what this study refers to as “chameleon-like” word privacy may denote a wide range of wildly dissimilar issues that range from confidentiality of personal information to reproductive autonomy; while others have lamented that the term tends to be ambiguous, momentary, elusive and variable. When considered generally, privacy protection is frequently seen as a way of controlling access to a person's private affairs which may include an information privacy, bodily privacy and territorial privacy. Information privacy governs the collection and handling of sensitive personal data such as credit information and medical records, while bodily privacy is concerned with the protection of people's body against invasive procedures such as drug testing and cavity searches. On the other hand, privacy of communications covers the security and control of access to all forms of communication such as mails, telephones, email etc., while territorial privacy sets limits on intrusion into the territorial space such as the workplace or public space. Under other jurisdictions, the ECHR has not specifically defined what a private life denotes for the purpose of attaching a legal right or duty to it. However, it was also held that, private life is a broad term and its scope is not exhaustive covering both the physical and psychological integrity of a person, guarantees of personal autonomy, personal privacy, identity, integrity, development, etc. In the case of public figures, their privacy is limited to those areas of their private life where it is obvious that they wanted to be alone. Often, privacy have been referred to in several nomenclatures including "that which is no one's business," “the right to be let alone,” or, a “person's interest in controlling other people's access to information about him or herself,” or "the condition of not having undocumented personal knowledge about one possessed by others." Another view considers privacy as being invaded when people approach an individual so that they can examine his or her body, behaviour or interpersonal relations. Preserving privacy in such cases would entail the creation of a physical barrier between the individual and others.' Recently, the Indian Supreme Court in Puttaswamy and Anr. vs Union of India And Ors, defined privacy as: “The ultimate expression of the sanctity of the individual. It is a constitutional value which straddles across the spectrum of fundamental rights and protects for the individual a zone of choice and self-determination.” It has also been proposed that privacy may denote as the ‘desire of people to choose freely under what circumstances and to what extent they will expose themselves, their attitude and their behaviour to others.’ The Caldicott Report in the UK, although lamented about its failure to find a “wholly satisfactory statutory definition of privacy," proposed an “acceptable” legal definition of privacy as: “The right of the individual to be protected against intrusion into his personal life or affairs, or those of his family, by direct physical means or by publication of information.” Accordingly, even when a zone of interaction is considered as being within the scope of public life, it may still fall within the scope of private life, if, for instance, the activities are intentionally or knowingly recorded systematically or permanently. A compilation of data on individuals may constitute interference a breach of privacy, except where a monitoring is done without recording. Likewise, a publication of materials beyond that which is foreseeableor not anticipated at the time of collection is serious interference with the right to privacy.
It has been argued that Warren and Brandeis’ definition of the right to privacy (of 1890 ) as "the right to be left alone" seemingly ushered in the modern concept of the privacy right. It could be safely surmised that privacy relates to secrecy (the extent of our accessibility to others), solitude (our popularity and other’s access to us) and anonymity (the extent of our being the subject of interest to others). Furthermore, the loss of privacy may not necessarily involve the disclosure of the patient’s private information because, one can lose privacy just by being the object of attention, even when no information is disclosed, and regardless of whether the attention is conscious, intentional or unintentional. Privacy "is related to our concern over our accessibility to others: the extent to which we are known to others, the extent to which others have physical access to us, and the extent to which we are the subject of others' attention." Privacy relates to the persons and/or personhood, i.e., a person’s right to use, manage and control his/her certain emotional, cognitive, or psychological "space" and the ability of a patient to control personal information or to make decisions about how his/her personal information is accessed. That is, it is the power to "deny and/or grant access” to some (personally identifiable) information about himself or to control over who can experience him or observe him. Although the term privacy is first used in tort law, the right to privacy is now one of the fundamental human rights that is clearly captured under the United Nations Declaration on Human Rights (UDHR), regional conventions/charters and national constitutions that protect a person's spatial privacy (e.g., of home) and informational privacy against illegal interference by the government. For instance, the UDHR, The Arab Charter on Human rights and the European Convention on Human Rights (ECHR) have all given protection against “arbitrary interference with privacy, family, home or correspondence”. Accordingly, the Saudi Basic Law of Governance provides: “The State shall protect human rights in accordance with the Islamic Shari‘ah.” “Correspondence by telegraph and mail, telephone conversations, and other means of communication shall be protected. They may not be seized, delayed, viewed, or listened to except in cases set forth in the Law.” Therefore, the right to privacy is the limitation, placed on the right of others to have access to information about, or the physical space, of an individual. Although the study does not intend to delve into the “space” privacy rights as applied to the fundamental rights to privacy, but in view of the cultural sensitivity of the Saudi society with regard to spatial privacy, especially during interactions between people of the opposite sex, we may examine how this unique and intricate interaction affects the patient’s confidentiality right. Furthermore, it should be noted that, the privacy limitation placed on information is regarding unlawful access rather than its unlawful sharing with (or disclosure to) third parties, which comes within the ambit of confidentiality. However, the healthcare professional in Saudi Arabia, just like elsewhere, might be at the risk of breaching a patient’s privacy right unless he/she accesses the patient’s confidential information upon the assumption of a professional relationship of the patient. It would seem, therefore, to be a breach of patient’s privacy if, for instance, a health care professional illegally accesses a patient’s electronic medical record, or illegally obtains a patient’s medical records file or someone eavesdrops and listens to a conversation between a patient and her doctor. It would, however, be different if, the access was made possible by an unjustified disclosure by someone who had legally accessed the information. In such a case, the person, who made the unjustified disclosure, would have been in breach of confidentiality right, rather than privacy right because the access was legal.
2.2.2. Confidentiality
The second arm of the human right to privacy is the control over the disclosure to the third party, of personal information already lawfully accessed. Confidentiality has been defined as “the careful husbandry of personal information,” or as the duty to maintain patient’s private information revealed during a professional relationship. More specifically, confidentiality implies the protection of personally identifiable information against access or knowledge by any unauthorised third party. The information sought to be protected must be unique to that particular patient (as opposed to information that could be attributable to any person qua person). The lawful access to patient’s private data or other similar information of this kind further creates an obligation or a commitment by the healthcare professionals to keep that data in confidence. Confidentiality then may imply two domains: that which is private (or known only to the individual) and that which is public (that which is already known to the public). The doctor may be justified in breaching the duty in the public interest and, any personal information which is already in the public domain, as in newspaper articles, is not considered private. This exception may also apply to any previously privileged information that was disclosed in breach of confidentiality. That is to say that once it is published, no matter how, it might no longer claim confidentiality. As alluded to earlier on, the right of patient’s confidentiality is predicated on the value of trust placed in a doctor-patient relationship. The patient presupposes that the doctor would, banking on this trust, refrains from revealing that private information to others without his consent. Confidentiality, too, is founded upon the ethical principle of autonomy with the goal of protecting the patient’s interests as the master/ruler of his secret. The patient should be able to decide freely what, whether, how and to whom to disclose that particular information about his/her health or treatment. One of the key features of this study is to identify the circumstances that signify breach of patient confidentiality and the remedies available to the aggrieved patient. And a breach of patient confidentiality may arise at various levels of managing the patient’s information, which may include acquiring (collection), processing and disseminating of the patient’s private information, as opposed to a privacy breach that arises because of invasion into the patient’s private affairs. The study realises that, information collection generally involves surveillance and history taking or interview. In the context of patient confidentiality, the manners in which information is conveyed may be in a form of disclosure of the patient’s complaints and other patient’s unique information on laboratory or radiological test requests. The professional may also access a patient’s intimate information through physical, radiological and pathological examinations and evaluations. How the information is acquired could potentially lead to a privacy breach, while confidentiality focuses more on whether, to whom, and how that information is further transmitted. On the other hand, information processing implies how the acquired information is stored, manipulated, and used. This process may involve aggregating the information (the grouping of various pieces of information about the patient) and identification or linking the aggregated information to the patient. At these stages, two challenges may lead to a potential breach of confidentiality; Insecurity and Secondary use: Insecurity may arise from the failure to protect stored information from improper access, while secondary use is the use of data for a different purpose without the patient’s consent. In such situations, there would appear to be a case of breach of privacy, where an individual takes advantage of the insecurity and, illegally invades into and acquires the patient’s confidential information. On the other hand, it would seem to be a breach of confidentiality, if, the professional or the health institution, having legally acquired the information, subjects it to insecurity and/or secondary use without the patient’s specific consent to a resultant disclosure to an unintended third party.
As we have pointed out earlier, the main premise of confidentiality duty is a commitment by the professional to keep a patient's information secret. Therefore, during the process of information dissemination, several actions could result in a breach of confidentiality. This may include disclosure, exposure, increased accessibility, appropriation and distortion. Disclosure is considered as revealing the patient’s truthful information to others that could result in prejudice or stereotype, while exposure involves revealing patient's bodily functions. Conversely, an increased accessibility is the act of increasing the availability of the patient’s private information to third parties while appropriation involves the using the patient’s information to serve other ulterior interest. Data distortion entails the distribution of false or misleading information about the patient. The worst form of illegal disclosure is when the patient’s information is used as a tool for blackmail i.e., the threat to disclose personal information. It is only through an unlawful disclosure of the information that a breach of confidentiality becomes effective. As in other contexts, a supposed breach of confidentiality may be justified where the disclosure is purportedly in the public interest or, if this information is already in the public domain, as in the British cases of Campbell, and that of Mosley vs News Group Newspapers Ltd. It seems that the more we try to juxtapose the terms privacy and confidentiality the more their distinctiveness becomes even more blurred. There is not a clearly distinctive and definitive differentiation between the two terms: privacy and confidentiality under the Saudi Arabian laws. Even when seen under other jurisdictions like the UK’s laws, the difference between ‘privacy’ and ‘confidentiality’ as respectively described by Article 8 of the Human Rights Act and, the Data Protection Act has resulted in more confusion. Notwithstanding the blurred distinction between the two, the takeaway is that privacy is about access to spatial or informational space, while confidentiality is about disclosure of information legally accessed pursuant to the relationship of confidence between the patient and the healthcare professional. Furthermore, confidentiality right derives its origin from the right to privacy and not the other way around. Therefore, despite the attempts made above to clearly differentiate between the two concepts, in this study, a reference to privacy or confidentiality is a orientation to an unlawful access to or disclosure of patient confidential information (data protection). Unless otherwise clearly delineated, the study does not delve into physical privacy.
2.2.3. What is Patient Confidentiality?
Patient confidentiality ‘is central to the preservation of trust between doctors and their patients.’ It represents a patient’s right to the protection of their personal information, which under normal circumstances should remain strictly confidential during the patient’s lifetime and even after their death. A duty of confidence arises when a patient discloses information to an HCP (for example, a patient to a physician) in circumstances where it is reasonable to expect that the information will be held in confidence. In the United Kingdom, for instance, confidentiality is a legal obligation that is derived from law and must be included within the National Health Service (NHS) employment contracts as a specific requirement linked to disciplinary procedures. Confidentiality is, therefore, both an ethical and a legal obligation. The right to confidentiality is an essential part of the bond that exists between an HCP and a patient. Where it is not maintained, it may lead to the patient being reluctant to reveal confidential information that is required for proper diagnosis and treatment. Confidentiality is a right that must be respected by all members of the healthcare team. Disclosing confidential information about a patient without their consent is unethical and a breach of a legal duty. The only exception is where the HCP is required by law, ethics or a contractual obligation to disclose such information. For a patient to give consent to any disclosure of confidential information, the patient needs to understand:
who the information will be disclosed to;
precisely what information will be disclosed;
why the information is to be disclosed; and
the significant foreseeable consequences.
Where a patient has given consent for the disclosure of any confidential information, the HCP must only disclose information the patient has agreed and only to the third party requested and no other use of the information can be made without further consent from the patient. As previously discussed in chapter 1, patient confidentiality is not a concept known only to the West. The concept has been considered in Islamic jurisprudence, as such contemporary Islamic scholars can produce a fatwa based on the Islamic principles in the exercise of Islamic Fiqh which is a reference to the Qur’an whenever the truth needs to be found and based on a rational questioning of what is to be human. The scholars can rationalise and determine what should be a right or duty derived from the tenets of the Qur’an. As a result of applying Fiqh, scholars have determined that, patient confidentiality should be protected. Patient confidentiality is an off-shoot of the human right to privacy and confidentiality. It needs to be noted, however, that there is a difference between both concepts. Confidentiality is the legal protection offered to a person for sharing private information with a professional with whom that person is in a fiduciary relationship. For example, in the context of healthcare – confidentiality refers to data disclosed by a patient to an HCP during dialogue in a medical appointment. On the other hand, privacy refers to the ‘legal protection of personal medical information from being shared on a public platform. Privacy legally protects the patient’s records, prescriptions and examinations from being shared or accessed by anyone other than his/her physician.’
2.2.4. Patient Confidentiality among Healthcare Practitioners
In countries where physicians are duty-bound by the Hippocratic Oath to safeguard patient confidentiality, they swear to protect patient confidentiality. For example, these words form part of the 1923 edition of the Hippocratic Oath: And whatsoever I shall see or hear in the course of my profession, as well as outside my profession in my intercourse with men, if it be what should not be published abroad, I will never divulge, holding such things to be holy secrets… By the reason of that oath, physicians have a legal as well as an ethical obligation to protect patients’ confidential information. In the UK, the Hippocratic Oath has served as the main pillar for the physician’s duty (as an ethical guideline on the confidentiality of health information) and practitioners should make it an important point of consideration in the course of treating patients. The medical information of a patient is not only what the HCP finds during a diagnosis or clinical examination or test results; it also includes information regarding the patient’s life, lifestyle and habits. Any inappropriate disclosure of a patient’s confidential information by the HCP could potentially be a threat to the patient’s reputation and human dignity. In the Islamic Republic of Iran for example, a breach of patient’s confidentiality by an HCP could be punishable upon conviction under the Islamic Penal Code. In the same vein, Iran’s Medical Council prohibits breaching confidentiality. In Saudi Arabia, the healthcare profession is regarded as a noble profession because it is related to ‘the human soul, health and life preservation which is the most precious thing.’ Under the Code for HCPs in Saudi Arabia, it is emphasised that Shari’ah has asserted the significance of keeping the patient’s secrets and confidentiality. As a guide, the HCP must never disclose a patient’s confidential information except in the following circumstances:
If the disclosure is to protect the patient’s contacts from being infected or harmed, like contagious diseases, drug addiction, or severe psychological illnesses. In this case, the disclosure should be confined to those who may become harmed;
If the disclosure is to achieve a dominant interest of the society or to ward off any evil from it. In this case, the disclosure should be made only to the official specialized authorities. Examples of this condition are the following:
Reporting death resulting from a criminal act, or to prevent a crime from happening.
Reporting of communicable or infectious diseases.
If disclosure is requested by a judiciary authority.
To defend a charge against a healthcare practitioner alleged by the patient or his/her family in relation to the practitioner’s competence or how he/she practices his/her profession. Disclosure should be only before the official authorities.
If the disclosure to the patient’s family or others is useful for the treatment, then there is no objection to such disclosure after seeking the patient’s consent.
The healthcare practitioner can disclose some of his/her patient’s secrets when needed for the education of other healthcare team members. This should be limited to the purposes of education only and to refrain from disclosing what could lead to the identification of the patient and his/her identity.
Furthermore, Article 21 of the Law of Healthcare Professions 2011 and the Council of Ministers Resolution provide for the duty on HCPs to maintain the patient’s confidentiality in the following words:
A healthcare professional shall maintain the confidentiality of information obtained in the course of his practice and may not disclose it except (as provided by the law) …
A violation of the law is a criminal liability which upon conviction attracts a fine, a warning or revocation of the license for the practice and/or a further ban from re-registration for a period of two years from the date of revocation.
In other jurisdiction like the U.K., the duty of confidentiality is enforced through four apparatuses:
Common law;
Statute;
Contract of employment; and
Regulatory bodies
Under the common law, patients who feel that their confidentiality has been breached may seek redress from a court in a civil suit. Professional registration bodies may investigate any alleged breach of confidentiality and where required, impose appropriate sanctions, which may include delisting of the HCP from the register of practitioners.
2.3. Choosing the Triple Test as Guide for Assessment of Adequacy of Compliance with Right to Privacy and Confidentiality
Despite the perennial rancour among some nations, it is no longer in dispute that human rights are universally applicable, although the modus of their application may differ from jurisdiction to jurisdiction. And therefore, the thesis propose isto use a criterion for the assessment of the adequacy of protection of privacy right that is not only universally applied, but also accepted in the Saudi Arabian jurisdiction. This is called as ‘triple test’ of legality, legitimate aim (necessity) and proportionality. This test, which seeks to safeguard the human rights from arbitrary abuse, is widely accepted and applied in several international human right treaties. Furthermore, Saudi Arabia has ratified the treaties, which further accept this test. Therefore, it can be argued that, the triple test is applicable to Saudi Arabia because it is part of the international legal system, and because it has chosen to ratify treaties, where the test is clearly embodied both in Islamic and UN treaties.This is because, Saudi Arabia has agreed to review, amend and/or abolish it existing laws and regulations and or the drafting of new laws to streamline them with the international human rights instruments to which the country is a party. For instance, Article 29 (2) of the UDHR provides: In the exercise of his rights and freedoms, everyone shall be subject only to such limitations as are determined by law solely for the purpose of securing due recognition and respect for the rights and freedoms of others and of meeting the just requirements of morality, public order and the general welfare in a democratic society. Similarly, the Arab Charter on Human Rights, which affirmed the UDHR in its preamble, reiterated the three elements of the test: law necessity (legitimate interests) and proportionality, at Article 4: It is prohibited to impose limitations on the rights and freedoms guaranteed by virtue of this Charter unless where prescribed by law and considered necessary to protect national and economic security, or public order, or public health, or morals, or the rights and freedoms of others. The Universal Islamic Declaration on Human Rights, at its Explanation 3, made a similar provision that emphasised on the requirements of the triple test of legality, necessity and proportionality, with a proviso that the law referred to therein, is the Shari’ah, and it relates to the Muslim Ummah (community) only: In the exercise and enjoyment of the rights referred to above every person shall be subject only to such limitations as are enjoined by the Law for the purpose of securing the due recognition of, and respect for, the rights and the freedom of others and of meeting the just requirements of morality, public order and the general welfare of the Community (Ummah). The Cairo Declaration on Human Rights at Article 8 made safeguards against the infringement of human rights ‘except for the requirements of public interest’ or ‘for a necessity dictated by law’. Similarly, some international human rights conventions that Saudi Arabia has ratified, e.g., the CRPD and CRC (although not referring to privacy) have made similar restrictions. An International Conference of Data Protection and Privacy Commissioners was held in Madrid on 5 November 2009 to, among others, define a set of principles and rights guaranteeing the effective and internationally uniform protection of privacy with regard to the processing of personal data. Although Saudi Arabia did not attend the conference, the Madrid Resolution allows for restrictions to the right of privacy and confidentiality subject to the fulfilment of the elements of the triple test, thus: When necessary in a democratic society in the interests of national security, public safety, for the protection of public health, or for the protection of the rights and freedoms of others... Likewise, some other international human rights conventions, e.g., ICCPR, and ICESCR that Saudi Arabia has not ratified, and other regional human right conventions to which Saudi Arabia is not a state party, e.g., the ECHR have made same exceptions. For instance, Article 8(2) of the ECHR provides as follows: There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. Additionally, constitutional courts in several other countries and regional human rights courts have applied the principle of proportionality intending to guarantee the full respect of human rights by the state. It could easily be deduced from the above that the elements of the triple test are firmly engrained in the international human rights laws that are universally applied under laws that are applicable to Saudi Arabia. However, because of lack or inadequacy of enforcement mechanism, the triple test is not fully developed as those, for instance, under the ECHR because the ECtHR plays a key role in ensuring signatory states’ compliance with the Convention. Therefore, it may not be out of place to show why it is important to make reference to some regional interpretation of the right to privacy, e.g., the ECHR, which is not binding on Saudi Arabia. The main issue of universal declaration and international/regional conventions is the lack of, or weak interpretation, enforcement mechanisms or assurance of remedies. Of course, Saudi Arabia is not ordinarily bound by the ECHR, and therefore the ‘interpretations of human rights by the European Court of Human Rights are thus certainly not automatically guiding or acceptable'. However, the ECtHR has developed the triple test as applicable to privacy in IHRL. And, there are no available case law that interprets the principles on triple test as applicable under the Saudi Arabian jurisdiction. It is accepted that in many instances interpretations from Strasbourg are applicable universally. It is the case for the right to patient confidentiality in medical settings. Western medical model is the one that is implemented worldwide as modern medicine including Saudi. Therefore, the thesis may refer to the Strasburg’s case law interpretation of the provisions of Article 8 of the ECHR as a representative of the same principles enunciated also under those declarations to which Saudi Arabia is a state party.
The ECtHR has further developed and strengthened the triple test under the ECHR, and the thesis proposes to use any such lessons that may be used for any subsequent reform, development or enforcement of human rights law under the Saudi Arabian jurisdiction. Similarly, the interpretation provided by the ECtHR is leading and influential in the field as is reinforced by the role the EU plays in setting the standards for privacy / data protection in the world. The ECHR is grounded both on a universal and a regional inspiration which serves as the first steps for the collective enforcement of certain of the rights stated in the UDHR. Having noted above, therefore, any interferences with rights protected by the human rights laws can only be valid if they pass the triple tests, which comprises of the ‘legality test’, ‘legitimate aim test’ and ‘necessity /proportionality test’ as advanced under, Article 29 (2) of both the UDHR and other IHRLs.
2.4 The Triple Tests
Having noted above, the need for protection of human rights, this study identifies a triple test, which establishes the grounds on which human rights may be subject to certain limitations. As a corollary, the right to patient confidentiality is not absolute. As such, there are certain circumstances under which the right may be curtailed. Taking the above into reckoning, how might the law adequately provide for the protection of the right to confidentiality under circumstances that warrants a limitation? Furthermore, how might one assess whether the exceptions do not give room for abuse and arbitrariness on the part of state actors and other private individuals? The answers to these questions necessitate a discussion on the ‘triple tests.’ The tests are discussed under sections 2.4.1 to 2.4.3 below:
2.4.1 The Legality Test
The legality test requires that any restriction on human rights must be ‘provided for’ or ‘prescribed by’ law. Borrowing the Strasburg’s dicta in the cases of Huvig and Kruslin, the legality test poses four questions that beg for answers in order to establish that the restriction of the right is according to law:
Legal Infraction: Does the domestic legal system sanction the infraction?
Accessibility: Is the relevant legal provision accessible to the citizen?
Precision, clarity, and foreseeability: Is the legal provision sufficiently precise to enable the citizen reasonably to foresee the consequences which a given action may entail?
Safeguards against arbitrary infringement: Does the law provide adequate safeguards against arbitrary interference with the respective substantive rights? Does the law provide for a reasonable application/use of the data and an adequate administrative control against misuse?
Where the answer(s) to any of the four questions (above) is/are in the negative, the legality test must fail. Following from this there will be no need to proceed to the two other tests. As a result, the infringement would not be justifiable. As it relates to the right of privacy and confidentiality, where the legality test fails, there is no reason why the right should be limited.
2.4.2 Legitimate Aim Test
The second test is the legitimate aim test. Here, an interference that potentially contravenes a protected right must not only be ‘in accordance with the law,’ but must also pursue one or more of the legitimate aims referred to under Article 29 (2) of the UDHR, other IHRLs earlier on alluded to, and Article 8 (2) of the ECHR. Under international human rights law, any restriction on the rights to privacy must be necessary for pursuing at least one of the ‘legitimate aims.’ These legitimate aims may include public safety, prevention of crime, protection of morals and of the rights of others, national security and ‘the economic well-being of the country.’
2.4.3 The Proportionality Test
The third test is the ‘proportionality test.’ It is important that the restriction to a human right must not only be necessary for the pursuit of a legitimate aim but that the necessity must be related to a ‘pressing social need’ that is proportionate to the legitimate aim pursued. It is not surprising that the ECtHR emphasised that it must decide whether: …the “interference” complained of corresponded to a “pressing social need,” whether it was “proportionate to the legitimate aim pursued,” [and] whether the reasons given by the national authorities to justify it are “relevant and sufficient. It forms part of the tests developed by the ECtHR based on the decisions in the cases of Handyside, Silver, and Lingens which consists of some principal elements: The burden of proof/proportionality: To assess whether the interference is justified by a ‘pressing social need’ relating to one or more of the legitimate aims, and ‘proportionate to the aim being pursued’ by creating a ‘balance’ between rights and exceptions. The margin of appreciation: To ascertain whether both the aim and necessity of any given infringement of rights fewer than one or more of the public interest exceptions is compatible with the Regulation and to what extent they are incompatible with each other if any. In essence, the principle of proportionality entails that the statute which affects a human right must be suitable to achieve the legitimate purpose/aim sought by the legislators. In other words, the interpreter must verify that the intention is meant to achieving that aim. Some have criticised these standards for appearing to be rather vague and that the case law on the test of ‘necessity’ lacks transparency. ‘A close examination of the application of the test of ‘necessity in a democratic society’ by the ECtHR reveals a rather non-transparent use of the terminology’ that could potentially confuse and mix distinct elements.’ The principle that any interference with the right to privacy must be ‘necessary in a democratic society’ is one of the cornerstones of human rights law.
2.4.4. Quality of Case Laws: Lack of Judicial Precedents
In addition to the triple tests, it is argued here that the principles of stare decisis can strengthen the quality of cases laws. However, the doctrine of judicial precedent has no significant value in the Islamic judicial system. In Islam, it is not necessary to apply the doctrine of judicial precedent in deciding cases. As such, judges decide each case on its merit. Interestingly, even though the judges are not bound to follow precedents, they are not prohibited from referring to former judgments as guidance in deciding cases. For the sake of clarity, all the cases have to be decided on their own merits and previous decisions are merely considered as guidance for future cases. This position still prevails in some countries such as Malaysia and Saudi Arabia. In Pakistan, quite the opposite, the Shari’ah Courts follow the doctrines of judicial precedents just like in Nigeria where the Shari’ah Court of Appeal is competent to decide cases before it and its decisions become binding on all subordinate shari’ah courts. The previous Adab al-Qadi books were principally guides for qadis (judges). These books are not about the actual judicial practice and do not offer anything about the status of precedent in Islamic law. According to Émile Tyan, these writings describe the ideal rather than the actual practice of the Muslim courts. A study of 19 cases of Mata‘(gift) show that, the judges, whose decisions are analysed, neither referred to their previous decisions nor considered themselves bound by them in their later decisions. Unfortunately, all the above sources offer little or no help as far as the status of judicial precedents in Islamic law is concerned. Under the Shari’ah, judges must decide each case following its merit.The message sent by Caliph Umar (r.a) to Abu Musa al-Ash‘ari that is partly relevant to judicial precedent is: If you gave judgment yesterday and today, upon reconsideration, come to the correct opinion, you should not feel prevented by your first judgment from retracting: for justice is primeval, and it is better to retract than to persist in worthlessness. Use your brain about maters that perplex you and to which neither the Qur’an nor the Sunnah seems to apply. Study similar cases and evaluate the situation through analogy with those similar cases. This may be in line with the Islamic legal maxim, which says that ‘Ijtihad cannot be revoked by another Ijtihad.’ This legal maxim is relating to the validation and invalidation of ijtihad. It does not matter whether the revocation has been pronounced by the mujtahid (Islamic jurist) who initiates the ijtihad. According to this legal maxim, if a jurist exercises ijtihad in conformity to textual authority with a valid outcome, subsequently, the similar issue occurs and it appears to the same jurist or another jurist, then he gives an opinion different from the first one based on textual authority. The second opinion cannot revoke the first opinion, even though there is a similarity between the first issue and the second one. It is immaterial whether the same jurist or another jurist exercised the second Ijtihad. However, for the application of this rule, the following conditions precedent must be present: The previous decision must be based on ijtihad, and that it does not violate the texts from the Qur’an, Sunnah, or a decisive ijma’; Additionally, the previous ijtihad should not depend on clear error, iniquity and/or injustice and, that it was not based on public interests (moslahah Aammah). In other words, if the previous ijtihad had either violated the text of a primary source of Shari’ah (the Holy Qur’an or Sunnah) or based on error, iniquity or injustice, the previous decision may be effectively overruled by a subsequent decision. On the other hand, the Shari’ah itself mainly covers substantive aspects of Islamic law while the procedural aspects fall within the realms of Fiqh as formulated by the jurists. While the Qur’an and Sunnah, which are the main sources of Islamic law, may specify the crime, prescribe punishments and enjoin substantive justice and general protection of the liberty and security of the individual, they do not often cover details of procedure such as arrest, detention, investigation, prosecution, hearing, judicial review, appeals, etc. The Shari’ah emphasises substantive justice, leaving the procedure for its realisation to the authorities of the state to decide following the best interests of society. Under Islamic law, the issue of due process, being procedural, is covered mostly by the methods rather than by the sources of Islamic law per se. the author submits that, perhaps this could be utilised as a window of opportunity for finding common grounds for realigning the application of the IHRL in ways that are considered consistent with the Shari’ah. From the foregoing, it is clear that passing the triple tests is a prerequisite for any restriction to human rights. The triple tests represent the standard applied by the ECtHR to allow a limitation of a human right. The crux of this thesis is to assess whether this test is compliant with the principles of Islamic law and to what extent they can be applied to enforce the protection of human rights and especially the right of patient confidentiality in Saudi Arabia.
2.76 Conclusion
This chapter provides an overview of the concept of patient confidentiality and also introduces the triple tests that are used to ascertain whether a human right can be validly curtailed. Patient confidentiality is important for an HCP-patient relationship as patients are happy to disclose personal information based on the understanding that there is an ethical and legal duty on the part of the HCP not to disclose the information to third parties. Where HCPs work in a team, patient data must be shared for the treatment of patients amongst the team members and not to be used for any other purpose. The literature reveals that patient confidentiality is an ethical issue just as it is a legal one. HCPs, therefore, must uphold their oath to keep patients’ confidential matter secret and not disclose these to third parties. It is also noted that certain exceptions apply and it is only in these conditions that there may be a disclosure of patient’s confidential information.
Furthermore, the chapter argues in support of a strong mechanism for enforcing human rights. The ECHR and the mechanism put in place is a good example of the application of Article 29 (2) of the UDHR and the other IHRLs earlier on alluded to. This can serve as a guide for other jurisdictions including jurisdictions governed by Islamic law so long as it complies with the tenets of the Shari’ah. Even though the UDHR and other IHRLs are not domestic document, domestic legal systems may adopt similar strategies to ensure the protection of the rights of citizens. The next chapter discusses the laws of privacy in Saudi Arabia and the universality of human rights.
Chapter Three Saudi Privacy Laws And The Universality Of Human Rights
3.1 Introduction
Saudi Arabia does not wholly reject the UDHR but only certain aspects of it that Saudi Arabia considers as being inconsistent with the Shari’ah. Those aspects rejected does not impact on the right to privacy and patient confidentiality as Saudi Arabia has ratified several treaties that have bearing on the protection of privacy with similar contents to the Article 29 (2) of the UDHR, other IHRLs earlier on alluded to, and Article 8 (2) of the ECHR. However, it is interpretation and application of the requirements necessary for ensuring adequate protection of privacy under the Shari’ah may not be entirely consistent with the IHRLs. This chapter reviews the Saudi laws for their protection of patient confidentiality in the light of the universality of human rights and consistency with the IHRL. In the previous chapter, the concept of the right to patient confidentiality was introduced as well as the tests that will determine in what circumstances a right can be validly curtailed. The standard used is derived from the IHRL, which is universally applied, and accepted by Saudi Arabia. In this chapter, the discussion shifts to laws, which guarantee the protection of patients’ personal information in Saudi Arabia. As stated earlier in chapter one, the right to patient confidentiality is an offshoot of the right to privacy. This thesis assumes that even though both concepts flow in the same stream, they should be considered differently. Notwithstanding, a discussion of confidentiality rights must always have a basis in the right to privacy. In an assessment to find out if the laws pass the triple tests discussed under sections 2.5.1 to 2.5.3 in chapter two above, it is imperative to review the concept of confidentiality rights under Saudi laws. The aim is to see how consistent the Saudi laws are with the universal concept of patient confidentiality. The sections in this chapter, therefore, examine the Saudi laws of confidentiality. The reference is made to the right to confidentiality under the IHRL and the other relevant human rights instruments. It is important to note that the Kingdom of Saudi Arabia operates a monarchical system of government. Its rulers have to come from the descendants of the founder, King Abdulaziz bin Abdulrahman Al-Faisal Al-Saud. The most upright among them shall receive allegiance according to Almighty God’s Book (Qur’an) and His messenger’s Sunnah. As noted in chapters one and two above, the Holy Qur’an and the Sunnah are the ultimate sources of authority in Saudi and serve as the bedrock for all laws in the Kingdom. While the Saudi Arabian legal system is primarily based on Islamic law, it also faces the challenge of having to contend with the global commitment to abide by international law. Saudi Arabia recognises and provides for the respect to human rights (including the right to patient confidentiality) in compliance with the Shari’ah. Consequently, Saudi Arabia’s legal history, legal culture and the historical antecedents reflect in the manner and the extent to which human right to patient confidentiality is applied within its jurisdiction. For appreciating the degree of legal protection afforded by the Saudi legal system to patient confidentiality, it is imperative to review the global trend and assess the Saudi Arabian status among the comity of nations. In a survey conducted by the World Health Organisation (WHO) published in 2012, 113 different countries were required to state the level of patient confidentiality in their various jurisdictions. The result of the survey showed that nearly three-quarters out of the 113 countries that participated in the survey (70 per cent) reported having some kind of legislative protection to privacy/confidentiality. Again only 30 per cent of the surveyed countries had legislation specifically protecting the right to privacy of their electronic health records. Within the context of these findings, one can assess the level of acceptance and application of the legal protection to patient confidentiality, if any, it is already achieved by Saudi Arabia. Although the specific focus of their survey was on the legislative protection of confidentiality of electronic health records, it is rewarding to find that even the developing countries, a group to which Saudi Arabia belongs, have shown a significant level of acceptance of the basic concept of privacy. The report further shows that, although cultural diversity in different regions tends to give diverse value to legal protection to privacy and confidentiality, the core concept is well understood globally. Further analysis of the report shows that even fewer countries (10 per cent of countries) reported having legislation, which covers the sharing of electronic health records across the borders. However, this finding does not necessarily imply that, the existence or the non-existence of such legislation reflects the degree or level of the application of respect for patient confidentiality. It is important to recognise though that, any discussion regarding patient confidentiality across the borders and different cultures must take cognisance of the historical context and the role played by cultures, norms and environments relative to the application of universal concepts of privacy. Often, legal rules usually arise out of an institutional setting and from a range of different concepts. As stated earlier on, the Saudi Arabian legal system is mainly based on the Shari’ah and therefore, its provisions related to patient confidentiality are significantly influenced by the Shari’ah. Despite the impact of Shari’ah on the Saudi legal system, other external factors also do have some influence on it. For example, the Arab Charter on Human Rights have a great influence on the concept and application of the patient’s right to confidentiality under Saudi laws. This can be inferred from the various laws that have been passed to strength the right to confidentiality in Saudi Arabia.
3.2 Saudi Arabia and the Universal Declaration of Human Rights
Saudi Arabia has made several objections to the interpretation of the universality of UDHR with regard to specific human right issues, but not particularly on the right to privacy and confidentiality. Saudi Arabia arguments, objections and abstentions are in the interpretation and application of the freedom of religion, and women’s right to equality. But, because of those arguments that had overshadowed its agreement with many other aspects of human rights, it seems sensible to put this issue in perspective. Human rights or ‘rights of man’ are the right that one has because of being human.’ The concept of human rights connotes in different ways by different schools of thought. For instance, the ‘natural scholars’ consider human rights as ‘given’; ‘deliberative scholars’ view it as that which is ‘agreed upon; the ‘protest scholars’ view it as that which is ‘fought for’, and ‘discourse scholars’ as that which is ‘talked about.’ Human rights, as the naturalists generally hold, are the rights possessed by all humans by virtue of their humanity, i.e., of being human beings in the society. Universality features of the right to privacy and confidentiality involve that of personhood i.e. right to, for example, the privacy of all persons and practicalities to justify local variations (or exceptions). Generally, human rights are not equal for all the individuals, as human nature is a fact that is unalterable, not earned nor can it be lost. This ‘conceptual universality’ only establishes that if any such rights exist, all hold them equally/universally. However, the question as to whether everyone or even anyone enjoys these rights is another matter altogether. This is because, in many jurisdictions, these rights are either not implemented at all or are grossly violated. Human rights enforcement largely lies at the mercy of the states. The right to patient confidentiality is partly an offshoot of the fundamental right to privacy and confidentiality which guarantees the peoples’ enjoyment of their right to respect for private and family life. The Universal Declaration of Human Rights 1948 is presumably the foundation of international human rights law, which has inspired a rich body of legally binding international and national human rights laws. When addressing injustices, it has continued to influence our decisions, or as we strive towards achieving the universal enjoyment of human rights. Subsequently, regional charters and conventions, including the Arab Charter on human rights formally reaffirmed ‘the principles of the UDHR’; while national (including the Saudi Arabian) constitutions and laws apply human rights laws according to the exigencies of their peculiarities. This Declaration is an internationally accepted benchmark for the application of human rights by nation-members. The attempt to use the UDHR 1948 to establish a universal document on human rights and liberty that has been criticised from the Islamic perspective for being motivated by a secular philosophy. This criticism led to Saudi Arabia’s spearheading an international recognition for human rights based on divine laws. This ultimately led to the Arab Charter as well as promulgating a domestic body of laws for protecting the human rights based on the principles of Islam. The countries around the world have constitutional provisions for the protection of the right of privacy, including the rights of inviolability of the home and the confidentiality of communications. In a few countries where their constitutions do not make explicit provision for privacy rights, such as the United States, the domestic courts have developed case laws protecting the privacy rights founded under other provisions. Since patient confidentiality springs out from the universal human right to privacy, this study seeks to assess the conformity of the application of domestic law to the principles and application of universality of human rights. As such, this author seeks to assess whether the application of patient confidentiality under Saudi Arabian laws is consistent with the UDHR and other international human right treaties ratified by Saudi Arabia, including the Arab Charter. The concept of human right can be traced in history beyond the UDHR of 1948. For instance, the Magna Carta of 1215 had inspired those struggling for rights and freedoms, and many of its core principles echoed in contemporary human rights legislation. It also served as inspiration for many international human rights documents that serve as a living document evidencing some form of commitment between a government and its people throughout the world. The UDHR is not a treaty, but a non-justiciable ‘statement of fundamental rights’, which can be served as commitment among member states and established by the United Nations in response to the atrocities of World War II. At best, it is a commendable attempt at a ‘statement of common principles setting a minimum standard for human rights protection.’
It also served as the foundation for two other binding UN human rights covenants namely: The International Covenant on Civil and Political Rights (ICCPR) and the International Covenant on Economic, Social and Cultural Rights (ICESCR). There are Optional Protocols to the ICCPR and ICESCR which give individuals a right to complain to the UN Human Rights Committee if they feel that, their human rights have been violated. Both the American Declaration and the UDHR evolved almost contemporaneously, with the American Declaration preceding that of the UDHR by eight months. Therefore, the drafters of each declaration were interested in and aware of the contents of the other declaration. Mexico's delegates at a point in time submitted a motion at the Bogota Conference to take notice of the Universal Declaration project. The vexed question that needs to be addressed at this point is this: how universal is the UDHR? Whilst it is safe to say that the UDHR is not a Western document as some Muslim-majority nations are signatories to the instrument, Saudi Arabia (where the King must act in line with the tenets of the Shari’ah) did not sign the declaration arguing that it violated the principles of Islamic law and for the fact that the UDHR failed to take into consideration the ‘cultural and religious context of non-Western countries.’ It is worthy of note that Saudi Arabian law is partially at variance with the UDHR as all Saudi citizens are required to be Muslim by law. Thus, even though the UDHR proclaims a universal outlook, Shari’ah compliant nations have found comfort in the Shari’ah, based Cairo Declaration on Human Rights in Islam (CDHRI), which is widely acknowledged as an Islamic response to the UDHR.
3.3. Saudi Arabia’s Initial Aversions towards the Universality of the UDHR
Saudi Arabia has constantly attracted criticism on several human rights reports of human right rapporteurs for alleged human right violations. However, considering the right to fair trial, Professor Baderin asserts that, ‘most of the reports have mainly focused on exposing general practical violations of this right concerning international ‘universal’ human rights instruments without much attention paid to the legal question of whether or not there are relevant domestic provisions for its guarantee that, litigants can rely on’ under the Saudi Arabian legal system. As discussed earlier on, the Saudi Basic Law of Governance (Constitution) has recognised and protected certain human rights including that of privacy and confidentiality. Article 26 provides that, ‘the State shall protect human rights in accordance with the Sharia’ while Article 40 provides for privacy and confidentiality. The principles of human rights under the UDHR and those under Islamic laws that apply in Saudi Arabia have mostly been strictly interpreted, and thus produced the ensuing differences. Therefore, the lack of liberal interpretation has, arguably highlighted the apparent ‘conflict’ between the UDHR and the Saudi Arabian laws on human rights other than the right to privacy, which persists until now. This ‘conflict’ therefore, could potentially influence the type and degree of ‘non-compliance’ reported. Before the final affirmation of the UDHR through the Arab Charter, Saudi Arabia and a few other developing nations had resisted and abstained from affirming it for several decades after its declaration in 1948 although the actual conflicts are mostly centred on freedom of religion and rights of women. Interestingly, Saudi Arabia was the only Muslim country to abstain during the UDHR vote along with other mostly communist states (the Soviet Union, Byelorussia, Ukraine, Poland, Czechoslovakia and Yugoslavia) and South Africa. They had different reasons for their abstentions which ranged from their assumption that the Commission had either ‘gone too far’ or because it had ‘not gone far enough’ depending on who is complaining. These nations had sought to redefine the term ‘human rights’, because the content was part of what they are referred to as ‘the ideological patrimony of Western civilisation.’ One possible factor, which gave rise to this phenomenon, was that most of the third world countries, including the Muslim countries that were then apparently revolting were not present at the conferences that produced the UDHR. As of 1948 when the UDHR was declared, most of the countries were either under colonial rule or lacked the political weight at the time to pursue their goals in regards to the provisions of the UDHR. At all events, Saudi Arabia avoided approving articles, declarations or treaties that were contrary to its conservative interpretation of Islam or that is, in its view, detrimental to its sovereignty. While always avoiding explicit opposition to internationally recognised human rights standards, Saudi Arabia has consistently been a believer in, and promoter of, a form of cultural relativity that would allow the Kingdom to disregard those standards that it deems contrary to the Shari’ah. Hence, Saudi Arabia initially abstained from affirming the ‘universality of human rights’ at the San Francisco conference. The abstention was not because it objects to issues on privacy and confidentiality, but regarding articles 16 and 18 of the UDHR relating to the women’s rights in marriage and the freedom to change religion. The Saudi representative, Al-Baroody, had drawn the UN General Assembly’s attention on several occasions to the point that article 18 would give preferential treatment to missionary religions, affirming that Islam ‘had never engaged in systematic proselytising’. Therefore, he called for the deletion of the words ‘freedom to maintain or to change his religion’ Following a prolonged debate, the Third Committee approved an amendment to article 18, by a vote of 54 to 0 with 15 abstentions, among them Saudi Arabia, in which the controversial phrase ‘freedom to change’ became ‘freedom to have or to adopt’ in the finally approved text of Article 18. Saudi Arabia was the only country by using cultural and occasionally, religious grounds to challenge the universality of some provisions of the UDHR. The Saudi representative criticised the authors of the UDHR because they, ‘for the most part, had taken into consideration only the standards recognised by Western civilisation.’ He further went on to state that, ‘it was not for the Commission to proclaim the superiority of one civilisation over all others, or to establish uniform standards for all the countries in the world.’ Al-Baroody made a further frantic effort to emphasise that the drafters of the declaration used only the Western civilization as their benchmark without regard to the ancient civilization that has already passed, what he called ‘an experimental stage.’ Although the abstaining countries conceded that, human rights are universal, but insisted that it ‘must be considered in the context of a dynamic and evolving process of international norm-setting, bearing in mind the significance of national and regional particularities and various historical, cultural and religious background.’ On his part, Al-Baroody called for cultural relativity rather than cultural colonialism. Several Latin American countries, including Venezuela, Brazil and Bolivia supported the Saudi proposal but, the Committee, as well as delegates from India, Lebanon, France and the Philippines, rejected this proposed amendment.
Also, at the Vienna Declaration of 1993, the Conference members adopted (by a majority votes) the Vienna Declaration and Programme of Action that reaffirmed the universal application of human rights and acknowledged the significance of national and regional peculiarities and that various historical, cultural and religious differences have to be put into consideration. Largely, the Vienna Declaration essentially re-affirms the universalism of the UN Declaration of Human Rights (UDHR) and redeems the imperfections of the original draft. This criticism of the universality of human rights was also echoed by Pollis and Schwab in 1979 when they stated that: The Western political philosophy, upon which the (United Nations) Charter and (Universal) Declaration (of Human Rights) are based, provides only one particular interpretation of human rights, and that this Western notion may not be successfully applicable to non-Western areas due to ideological and cultural differences. Ever since, this has triggered a theoretical debate between the Universalists and the Relativists on the universality of human rights from the anthropological and cross-cultural relativity of the different continents, for example, Africa, Asia, and the Muslim world. For instance, some of the relativists are of the view that: Cultures manifest so wide and diverse a range of preference, morality, motivations, and evaluations that no human rights principles can be said to be self-evident and recognised at all times and all places. The relativists maintain that cultures or the society may only be judged by no other absolute values or principles than by the culture itself. They further assert that there is a connection between ‘cultural origin of value or principle and its validity for that culture.’ Although they conceded that for every culture, some moral judgments are valid, however, they maintained that, no judgment is universally valid. Therefore, if a human right is not indigenous to a particular culture, its validity and applicability to that culture are doubtful and also by extension, ‘alien and incompatible’ with non-Western cultural and religious traditions. Conversely, the Universalists argued that at least some moral judgments are universally valid, and therefore, the collections of rights as enunciated in the UDHR and other international human rights covenants and treaties are universally valid. This debate has culminated in the evolution of other perspectives, including the ‘essentialist framework.’ The essentialists focus more on the view that, cultures have core or ‘essential’ properties among their values and beliefs and on the essential connection between any given culture and the ‘universal’ human rights doctrines. Does it reflect the values and beliefs of their cultures, whether it embodies the social, religious, economic and philosophic character of a given society? To essentialists, it is not the question of origins or universality of the culture, but their validity. Therefore, for instance, if a culture is Western, then it cannot be universal. Although ‘not binding with the same force as domestic legislation’ the UDHR assumes as ‘a common standard of achievement for all peoples and of all nations’ or ‘an inclusive set of rights that transcend most cultural and ideological divisions.’ It has also been argued that, high incidence of consensus (80 per cent) with which the resolutions of the Commission on Human Rights have adopted further stresses the universality of the Declaration itself. This assertion has been challenged by the Muslim world. They doubt its universality or compatibility with the whole world. Rather, they opine that, the UDHR is simply a manifestation of Liberal, Western, Christian ideas. However, the Arab Charter eventually reaffirmed the UDHR in its preamble. It is worthy of note that, bringing forth this debate is just to show that the arguments and abstentions to the UDHR by Saudi Arabia and eight other nations are not unfounded. While the West continues to maintain that there should not be a different definition of human rights for different regions, such reservations exhibited by Saudi Arabia has continued to reflect on its perception of the definition and application of human rights in its domestic laws. Based on the arguments stated above, to some Muslims, human rights are a cultural concept of morality that is European in origin, and that they evolved from European modern thought on natural law. The Western countries later elevated them to legal institutional standards, which finally ended up as a ‘universal’ declaration and international law. Despite its consistent rejection of the notion of the universality of the UDHR, it is argued that Saudi Arabia’s approach to the UDHR is a slight shift from its usual position of rejecting any inconsistencies with the Shari’ah. It has been argued that, if strict Wahhabism were taken fully into consideration, Saudi Arabia would likely vote against the UDHR. It is interesting to note that Saudi Arabia’s changing and sometimes, ambiguous positions about international human rights standards and instruments imply pragmatism and malleability on the part of the Saudi Government and that of the Islamic Shari’ah. Ordinarily, Islamic international law permits the application of international commitments to the domestic legal system if they are not contrary to the Shari’ah. It is the author’s submission that, this approach creates optimism that Saudi Arabia might, eventually, adopt a more liberal approach to its interpretation of the Shari’ah with a potential tendency to aligning with the universality of human rights as they are.
Moreover, Saudi Arabia has generally endorsed the UDHR and subsequent human rights covenants, conventions and protocols, noting that the Shari’ah guaranteed human rights and explaining how the Convention’s articles were incorporated in Saudi laws. Saudi Arabia had claimed in its regular national report, submitted to Human Rights Council of the UN, that it has made numerous laws which are relevant to the Convention, including the law prohibiting torture during investigations, which stipulates that ‘confessions should result from thorough and careful investigation without torture.’ Having stated the above, the focus now shifts to the particular provision of the UDHR on the right to confidentiality. As noted earlier on, there is no significant distinction on the definition of what constitutes the right to privacy or confidentiality between the UDHR and the Saudi Arabia’s Islamic interpretation of human rights. Rather, the difference is more on the quality of the laws and its application to achieve the protection to confidentiality right. For instance, Article 12 of the UDHR (1948) provides that, every person has the right to privacy, i.e., in the sense of protection of access to their family, home and correspondence. It provides: No-one should be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks on his honour or reputation. Everyone has the right to the protection of the law against such interferences or attacks. However, Article 30 of the UDHR limits the application of all human rights to the extent that, it does not confer anyone, group or state the right to engage in any activity or to perform any act that interferes with the rights and freedoms of others as provided therein. The UDHR presumably forms the international benchmark on privacy rights, which explicitly provides for the protection of both territorial and communications privacy. Several other international covenants and treaties to some of which Saudi Arabia has acceded to, have reinforced the UDHR, for example, the UN Convention on the Rights of the Child (CRC), Convention on the Rights of Persons with Disabilities(CRPD) and the UN Convention on Protection of the Child as well as the International Covenant on Civil and Political Rights (ICCPR), Regionally, the Arab Charter on Human Rights and the European Commission’s Convention for the Protection of Human Rights and Fundamental Freedoms made privacy right enforceable within their respective jurisdictions. For instance, Article 17 of the ICCPR prohibits the State parties from interfering with the privacy of those within their jurisdiction and requires them to protect those persons by law against arbitrary or unlawful interference with their privacy, which includes information about an individual’s identity, as well as the private life of the person. The ICCPR provides: No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks. The ECHR equally provides for the right of privacy and confidentiality as follows: ‘Everyone has the right to respect for his private and family life, his home and his correspondence.’ In spite of these commonalities, the Muslim world had sought for alternative concept of human rights other than those under the UDHR.
3.4 Alternative Islamic Human Rights Declarations
Muslims, generally, believe that, human rights are God-given and not given by any king or by a legislative assembly. They maintain that when the Muslims ‘want to find out what is right and what is wrong we do not go to the United Nations; we go to the Holy Koran.’ Under the Islamic law, no ruler, government, assembly or authority has the power to curtail or violate in any way, the human rights conferred by God nor can they be surrendered. Thus, the role of Muslims is strictly confined to the application of Shari’ah as an inherent and binding part of the application of the law. Muslims are required to capture and discover God’s law. However, a qualified Muslim jurist (mujtahid; plural mujahideen) only can undertake such an important role of endeavouring to formulate a rule of law based on evidence (dalil) found in the sources. In this section, the thesis discusses the reasons why an alternative to the UDHR was sought after by the Muslim community. As pointed out in section 3.3 above, there have been some misgivings about the ‘universality’ of the UDHR and its ‘compatibility’ with the whole world. For the Muslim, one of the most frequently asked questions concerning the UDHR is, how universal are they really, are they compatible with the whole world or they are simply a manifestation of liberal Western Christian ideas? The UDHR is considered a universal document on human rights and liberty. However, critics have argued that it has failed to achieve this objective due to its secular philosophy and because it does not take cognisance of the fundamental diversity of the people around the world, particularly that of the Muslims. In line with the above criticisms, Muslim countries had, before their eventual affirmation of the UDHR through the Arab Charter, felt that the UDHR is contrary to Islam and therefore, is of no validity in Islamic countries. This might have stemmed from the conservative interpretation of the Shari’ah by which Muslims recognise no authority or power but that of Almighty God and that there is no validly recognised legal tradition apart from Islamic law. It does not require further overemphasis that, Shari’ah is the primary and main source of law for Saudi Arabia. The main sources of Shari’ah are the Holy Qur’an (considered by Muslims as the Constitution), the Sunnah, and other secondary sources. Any Saudi law or legislation that conflicts with the principles of Shari’ah shall be ineffective’ to the extent of that inconsistency. Therefore, to understand and appreciate the uniqueness of any protection given to patient confidentiality under the Saudi legal system, we must first understand the applicable rules of privacy and confidentiality under the Shari’ah and thus, the need for the review under this section. According to the doctrine of Shari’ah, every aspect of life is deemed private unless shown otherwise. The public sphere is that in which governmental authority operates, making it both transparent and open to scrutiny and observation. A striking instance of conflict between individual freedom in Islam and the modern concept of freedom is in the Islamic doctrine that ‘all human acts are subject to God's will.’ This doctrine does not seem to fit into any of the known schools of thought, not the least, the naturalist’s school that holds that human rights are ‘the rights possessed by all humans being human beings in the society.’ Under the Shari’ah, individuals owe stratified obligations toward God, fellow humans, and nature. It is only upon discharging the obligations that an individual qualifies for, and acquire certain rights as defined by the Shari’ah. Therefore, those who do not accept or discharge these duties have no rights, and cannot, justifiably claim freedom or right over society. Consequently, in Islam, human rights exist only concerning human obligations. Unlike the UDHR, which is not legally binding and can be withdrawn or modified, the rights ordained by God is not subject to withdrawal or amendment, the Muslims asserted. The Quran has made relatively more references to duties (farud) than to rights (huquq) (or better translated as ‘claims’). The so-called ‘inalienable’ rights as held in the Western sense are those belonging only to Allah and to the state. However, the individual's lack of rights is not seen by Islam in a negative light because, this condition supports communalism rather than individualism, i.e., the individual's’ rights are subject to the community’s (public) interest. This is predicated on the assumption that, in Islam, "humans are not created for solitariness and impervious individuality (but) for community, relationship and dialogue.’ Thus, a Muslim, ‘one who submits’ completely to God, is not the ‘autonomous’ individual, as viewed in the Western philosophy. Thus, an individual’s right is subject to the condition that ‘this right is to be exercised for righteousness of all [so] we may call it the common good.’
As with conventional human rights, the right to confidentiality could conflict with other rights, for example, (public interest) to know, or another individual’s right to expression. Under the Shari’ah, confidentiality is all about keeping secrets and as in all other ethical systems, there could arise a conflict of interest between the individual's right to keep their secret and that of the public to know to serve ‘ma’aslaha amma’ (the public's benefit). Islamic ethics is no exception. For example, the physician has found that, a female patient sustained a fractured rib because of domestic violence inflicted by her husband's violent behaviour rather than because of the reported accidental fall. In a standard Islamic criminal law, any harm or injury must be reported to the legal authorities to ensure that the husband, as in this hypothetical case, is prosecuted, and if convicted, be punished. It is noteworthy that, during the early period of Islam, the term ‘privacy’ was not clearly defined although it could be inferred from the rulings in the cases involving theft, trusts, seeking permission, exposing other’s secret and general morals, among others. For instance, the Holy Qur’an provides: “Oh you who believe! Do not enter houses other than your own houses until you have asked permission and saluted their inmates; this is better for you, that you may be mindful. The modern-day definition of privacy under the Islamic laws emanates from scholars’ efforts in gathering texts from the Qur’an and the Sunnah. Medical confidentiality in Islam is a type of confidentiality that is based on the three Islamic ethical principles: The first principle is contained in the Qur’anic prohibition against backbiting: O you who have believed, avoid much [negative] assumption. Indeed, some assumption is sin. And do not spy or backbite each other. Would one of you like to eat the flesh of his brother when dead? You would detest it. And fear Allah; indeed, Allah is accepting of repentance and Merciful. Furthermore, some of the Prophet’s statements (Sunnah/Hadith) related to privacy that reinforces these provisions from the Qur’an, is: Do not harm the Muslims, nor revile them, nor spy on them to expose their secrets. For indeed whoever tries to expose his Muslims brother’s secrets, Allah exposes his secrets wide open, even if he were in the depth of his house. Yet another hadith of the prophet says: If someone is peeping (looking secretly) into your house without your permission, and you throw a stone at him and poke his eyes, you will not be blamed. If a person listens to the talk of those who do not wish to be heard, then molten lead will be poured into his ears on the Day of Resurrection. One who looks at his brother’s letter without his permission is essentially looking into the fire of Hell. The second principle is based on the obligation to protect secrets as ordained by the Qur’an: ‘Verily, Allah commands that you should render back the trusts to those, to whom they are due.’ And lastly, the protection of confidentiality is a kind of loyalty. This is based on several Qur’anic verses, for instance: ‘Those who are faithfully true to their Amanât (all the duties which Allah has ordained, honesty, moral responsibility and trusts) and to their covenants'. These quoted verses of the Quran and the example of statements (Sunnah) of the prophet have clearly shown that, spying is forbidden for all the Muslims, individuals and state actors alike. This is more relevant as the Saudi Basic Law of Governance has reiterated that its constitution shall be the Book of God and the Sunnah (Traditions) of His Messenger (Shari’ah). That the government derives its legitimacy and authority from the Shari’ah, it shall protect the human rights according to the Shari’ah and, any applicable law shall be consistent with the Shari’ah. In view of the above, therefore, the question for now is, since Saudi Arabia has affirmed the UDHR through the Arab Charter, would the Saudi Arabian human rights law and the international human rights laws reconcile? Consequently, Muslim writers have argued that, when Muslims notice the discrepancies between UDHR and Islamic law, the Muslim world clamoured for the amendment of the UDHR to accommodate the Islamic legal system. Therefore, the unsuccessful struggle has led to the emergence of other alternative international instruments that meet their demands, to wit, Universal Islamic Declaration of Human Rights (UIDHR), 1981, and Cairo Declaration of Human Rights in Islam (CDHRI), 1990.
The right to privacy and confidentiality is clearly protected under Article 12 of the UDHR (1948) which provides as follows: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” It would not be out place to point out at the outset that there is no conflict in definition, nature and scope of rights to privacy and confidentiality between the Islamic law and the UDHR. However, for the sake of argument, let us review the Islamic alternatives to the UDHR and find, where and how they departed from each other, if any.
3.4.1. The Universal Islamic Declaration on Human Rights (UIDHR)
A non-governmental organisation, the Islamic Council introduced the UIDHR to the UNESCO headquarters in Paris in 1981 as an Islamic concept of Human Rights to serve as an alternative to the UDHR. Unlike the UDHR, it was a religious declaration for humanity, guidance and instruction to those, who fear God. A reference to ‘the Law’ in the Declaration text refers only to the Shari’ah, derived from the Qur’an and Sunnah and any other laws as deduced from these two sources by valid methods in Islamic jurisprudence. All the articles in the declaration have an explicit reference to certain verses of the Qur’an or specific parts of the Sunnah. The West would view this as limiting the scope of the UDHR in the universal application of human rights. The UIDHR asserts in its foreword as follows: All Human Rights are given by God and God only, and due to their divine origin, no ruler, government, assembly or authority can curtail or violate in any way the human rights conferred by God, nor can they be surrendered. Notable additions under the UIDHR, relative to the UDHR, includes the duties to defend rights of other persons and the community, protest against injustice and refuse to obey any command that is contrary to the Law, the right to found a family, the right of married women, among others. It is noteworthy that, overall, the declaration remains relatively neutral in ‘sensitive’ questions such as women’s rights, and the rights of minorities and freedom of belief, as none of these issues is openly confronted, even though they are to some extent vague. The UIDHR exists in two versions: one in English and another in Arabic. It has been argued that, there is a significant difference between the two versions with the English version appearing to be more in compliance with the UDHR while the one in Arabic relying much more on Shari’ah. The UIDHR provides for the right of privacy in the following words: ‘Every person is entitled to the protection of his privacy.’ It follows that the UIDHR too has applied some exceptions to the enforcement of human rights. It provides that under certain circumstances, state authorities may justifiably infringe upon human rights to protect ‘the rights and the freedom of others and, of meeting the just requirements of morality, public order and the general welfare of the Community (Ummah).’ Therefore, under the UIDHR, the right to privacy (or any other right under this declaration) is subject only to the following exceptions or limitations: In the exercise and enjoyment of the rights referred to above (,) every person shall be subject only to such limitations as are enjoined by the Law for the purpose of securing the due recognition of, and respect for, the rights and the freedom of others and of meeting the just requirements of morality, public order and the general welfare of the Community (Ummah). This exception is essentially similar, if not the same, to the UDHR under Article 29 (2) which provides: “In the exercise of his rights and freedoms, everyone shall be subject only to such limitations as are determined by law solely for the purpose of securing due recognition and respect for the rights and freedoms of others and of meeting the just requirements of morality, public order and the general welfare in a democratic society.” The notable distinctions that should be noted here is that, the UIDHR does not offer a definition of what constitutes ‘privacy’ and whether it includes confidentiality. Note further that the ‘Law’ alluded to in the UIDHR is the neither the UDHR Arab Charter nor any other secular law, but the Shari’ah; ‘the totality of ordinances derived from the Qur'an and the Sunnah and any other laws that are deduced from these two sources by methods considered valid in Islamic jurisprudence.’ The other instance in which the Islamic standpoint on human right differs from the Western viewpoint is that, the individual Muslims are divinely obliged to show obedience to constituted authorities. The individual is enjoined to always stand in support of, and act as an integral part of the government, and not as an opposition party, unlike under the Western governments where individuals and the government are separate. Consequently, there is no obvious need to define individual rights in contradistinction to the state. This may have been premised on the assumption that the ruler is ideally competent and therefore, ‘no adequate machinery is provided by the legal theory to protect the individual rights against the state.’ Thus, this explains the argument that, Islamic law is ‘fundamentally opposed to the notion of an independent judiciary fearlessly defining the limits of the power of the State over the individual and powerful enough to give effect to its decisions.’
In Western legal systems, from which international human rights originated, the sovereignty resides with the people. Therefore, the nation is entitled, through its representatives, to change an existing law or create a new one, to respond to social changes in a given society and in a given time. Conversely, under Shari’ah, God alone is the sovereign, and therefore, secular institutions are not empowered to formulate or amend the law. Consequently, the Muslims must regulate their actions to comply with His law (the Shari’ah) at all times. Furthermore, entitlement to human rights is by grant, not by virtue of being human. The implication of this for human rights under the Shari’ah rules is that human beings are only entitled to those rights granted them by the Shari’ah, not by virtue of being human beings or individuals, but merely by virtue of the divine will. Thus, unless international human rights are recognised by the Shari’ah, the expression of God’s will, they cannot enjoy the status of rights in a Muslim state, and therefore they are not worthy of the protection of the law.
3.4.2. The Cairo Declaration on Human Rights in Islam (CDHRI) 1990
The second Islamic Charter reviewed is the Cairo Declaration on Human Rights in Islam (CDHRI) 1990. In refusing to acknowledge the universality of these documents, Saudi Arabia attempted to develop a different human rights declaration and therefore, formed a coalition comprising of several Muslim states in order to produce a human rights document compatible with the precepts of the Islamic Shari’ah. Over the years, these attempts have resulted in the production of several ‘Islamic’ human rights documents. The most recent of these was the Cairo Declaration on Human Rights in Islam 1990, which was presented by the Saudi Foreign Minister to the 1993 World Human Rights Conference, held in Vienna. The CDHRI 1990, which unlike the UIDHR, was a governmental approach, was adopted in Cairo by the 19th Islamic Conference of Foreign Ministers of the 45 Member States of the Organization of the Islamic Cooperation (OIC). The CDHRI became the only acceptable and practicable International Islamic Instrument on human rights. For instance, a UN sub-committee for resolving women rights issues had referred to the CDHRI in the preamble to a resolution adopted on 21 August 1998. Also, a UN Commission adopted resolution 1994/79 calling on the government of Sudan ‘to comply with applicable international human rights instruments and to bring its national legislation into accordance with the instruments to which Sudan was a party,’ that is ‘the CDHRI, 1990. This Cairo Declaration went on to become a reference point for several Muslim states because; they considered it as a more feasible Islamic alternative to the UDHR during the 1997 Organisation of the Islamic Conference, held in Tehran. However, the Declaration has not managed to achieve the recognition or support of the international community, as ascertained by the UN Secretary-General, Kofi Annan, who in 1998 rejected it by reasserting that, the rights recognised under the UDHR were universally applicable. The CDHRI establishes the Shari’ah law as "the only source of reference" for the protection of human rights in Islamic countries. Despite the initial aversion to it, the CDHRI was presented to the UN in 1992 and it was accepted into the Human Rights Commission’s Compilation of International Instruments in 1997. Since then the CDHRI has formed a part of the international instrument on human rights. The CDHRI affirms that: …All men are equal in terms of basic human dignity and basic obligations and responsibilities, without any discrimination on the basis of race, colour, language, belief, sex, religion, political affiliation, social status or other considerations… The CDHRI further affirms the equality of men and women with their respective rights and duties, and that Islam alone is its base. The CDHRI provides for privacy as follows: “(b) Everyone shall have the right to privacy in the conduct of his private affairs, in his home, among his family, with regard to his property and his relationships. It is not permitted to spy on him, to place him under surveillance or to besmirch his good name. The State shall protect him from arbitrary interference. (c) A private residence is inviolable in all cases. It will not be entered without permission from its inhabitants or in any unlawful manner, nor shall it be demolished or confiscated and its dwellers evicted. However, several additional concerns persist which raise issues of its implementation and compliance by member states. It has been suggested that there has been a significant disparity between theory and practice in the application of human rights by the Arab League member states that, raises troubling questions. This resultant gap between the law as it is and practical reality prompts doubts as to whether the member states that supported the CDHRI ever intended to follow its supposedly culturally based principles, especially in cases where those principles would redress the status quo in the balance of power. For instance, some of the member states have shown little inclination either before or after the issuance of the Cairo Declaration to honour the principles outlined in articles 18(b) and 18(c) of the Cairo Declaration.
3.5 The Possibility of Adapting the Shari’ah to the UDHR or Vice Versa
Currently, Saudi Arabia is one of the countries acknowledged as holding a non-compliant and controversial position towards internationally accepted human right laws. Its position was initially demonstrated when it abstained from voting on the Universal Declaration of Human Rights (UDHR) in 1948. It has been argued that the question of compatibility between Islam and human rights cannot be answered with a simple yes or no but depends on the different interpretations or ‘kind’ of Islam and its compatibility with what kinds of human rights, when, where and with whom. Given that Islamic Shari’ah is the supreme law of Saudi Arabia, it becomes imperative to seek balance in compliance with international human rights instruments by a liberal approach to interpreting Islamic principles while ensuring that the tenets of the Shari’ah are not fundamentally breached in the process. It is also submitted that the international community should recognise that human rights are guaranteed under the Shari’ah and it will make for greater understanding if this perspective is taken into consideration in the drafting of international human rights instrument. Therefore, the need to make room for the diverse cultures of the people of the world in the interpretation of what human rights are cannot be overemphasised.
3.5.1 Saudi Arabia’s Engagement with International Human Rights Institutions
Saudi Arabia is increasingly pursuing its objective to become more fully a part of the international legal and institutional system, not just limited solely to the area of human rights. Despite several criticisms of Saudi Arabia’s resistance to the UDHR and for not ratifying some major UN human rights covenants, it has stepped up a steep defence on its own behalf to show that it has increasingly engaged with the UN in many other human rights projects. Also, the requirements for joining the World Trade Organisation (WTO) have encouraged Saudi Arabia to fulfil the stipulated conditions, within which some aspects of human rights compliance have been positively influenced. Abdulaziz M. Alwasil has attempted to highlight the various levels of growing engagements and interactions that Saudi Arabia has been undertaking with the UN to show the degree of their cooperation on human rights issues. For instance, he submits that Saudi Arabia has participated in the creation of the international human rights project and has shown, especially in the previous few years, signs of greater adherence to the internationally recognised human rights standards. Although Saudi Arabia has made some progress on the subject of human rights, further improvements are required to safeguard the human rights. Saudi Arabia’s human rights record became the subject, for the first time, of scrutiny under the 1503 procedure. Taking into consideration the consequences of the possible adoption of a resolution condemning the violations of human rights in Saudi Arabia, the Kingdom had to re-examine its strategies in dealing with the UN human rights system. Responding to these communications, which related to the lack of legal safeguards in the Saudi judicial system, the Kingdom provided the Sub-Commission with detailed documents on some specific cases of alleged human rights violations and Saudi Arabia’s judicial system. Saudi Arabia has attempted to change its pattern of engagement in the UN human rights system, from limited involvement to becoming part of the international human rights arrangements. Initially, the issue of human rights received negligible attention among Saudis domestically. Neither the government nor the people showed an interest in discussing human rights as such. However, a variety of international and national circumstances have changed the approach to some issues in Saudi Arabia, including human rights. Saudi Arabia has repeatedly declared in its statements before the Commission of Human Rights and later at the Human Rights Council, that Islamic law comprises of a comprehensive system of human rights. Concerning application, it has been argued that, the country has implemented the legal and administrative reforms that required to fulfil it as a part of the Kingdom’s obligations under relevant international treaties, including CERD. Against this background, Saudi Arabia seems to have retreated from directly opposing the main international human rights documents based on cultural differences. Instead, in 1998, the Saudi Government established a committee to consider the ratification of the ICCPR and International Covenant on Economic, Social, and Cultural Rights 1966. However, to date and despite repeated promises to ratify those Covenants, Saudi Arabia remains a non-member state to both. However, despite its rare abstentions, Saudi Arabia cast its vote in favour of nearly all the resolutions that structured the international human rights treaties system. At the same time, unfortunately, Saudi Arabia’s abstention during the GA vote approving the UDHR has led some critics to generalise about the Saudi position concerning the international human rights project. Despite these laudable attempts, the dilemma of sticking to its own interpretation of the Shari’ah and at the same time acceding to the requirements of the IHRLs still taunts it. Consequently, Saudi Arabia has acceded, although under certain conditions, to some UN human rights covenants. For instance, its accession to the Convention on the Rights of the Child (CRC) was conditioned by a generalised reservation that Saudi Arabia would not be bound by those articles of the CRC that might conflict with provisions of Islamic law. It acceded to the Convention against Torture (CAT) in September 1997, with two specific reservations, namely not recognising the jurisdiction of the Committee as provided in article 20, and not to be bound by the provisions of paragraph 1 of article 30. Also, in September 2000, Saudi Arabia acceded to the Convention on the Elimination of all Forms of Discrimination against Women (CEDAW), with a general reservation that, it would not be obliged to observe its provisions that were contrary to Islam. Also, it would not be bound by article 29, paragraph 1, concerning bringing disputes with other states to the International Court of Justice. The second specific reservation was that Saudi Arabia would not be bound by article 29, paragraph 2, which granted women equal rights with men concerning the nationality of their children.
Therefore, the Saudi Arabian Government in pursuant with its obligations under the CAT, in March 2000 established a committee to investigate allegations of torture. Also, it asserted that its Code of Criminal Procedure, which came into force in May 2002, has addressed some of Saudi Arabia’s obligations under CAT by specifying the legal procedures and due process rights. The Committee welcomed the Saudi Arabia’s positive steps, including the competence of the Board of Grievances to hear allegations of violations of human rights, but yet expressed concern over some matters, including, in particular, flogging and amputation of limbs, that were not considered as conforming with the Convention.’ Furthermore, the Committee expressed, in 19 points, its concerns and recommendations, inter alia that ‘guarantees of non-discrimination laid down in law, without a mechanism to monitor their application, do not ensure the enjoyment of non-discrimination’. It was Saudi Arabia’s view that the Committee’s questions reflected its lack of understanding of Saudi Arabia and ignorance of the fact that the Holy Qur’an and the Sunnah were the Constitution, which could not be amended. For instance, it defended the use of corporal punishment crimes as dictates of the Holy Qur’an and said that these sanctions could neither be abrogated nor amended since they emanated from God and the state was bound to refrain from taking any decision that ran contrary to the Shari’ah. The reality is that the Shari’ah remains the constitutional base for Saudi Arabia, which is distinct from the universality of human rights. The issue is, because of the globalisation of almost everything, some interaction and/or interface between Shari’ah-based laws and the IHLRs might not be avoided entirely. Saudi Arabia assumes the status of the principal Muslim state that protects Islamic traditional norms. The Kingdom has also been described as ‘the most traditionalist Islamic legal system in the world today’. Since its founding, the Kingdom of Saudi Arabia has generally retained its adherence to the traditional juristic treatises of the four Sunni schools of Islamic jurisprudence, particularly that of the Hanbalî School, in almost all aspects of its state law. The Basic Law of Government, introduced as late as 1992, is the nearest form of constitution that Saudi Arabia has ever had. Given that it is, in a sense, the constitution, one might think that it should override any other legislation. However, in scrutinising the Basic Law, different facts may arise. For instance, Article 1 states ‘The Kingdom of Saudi Arabia is a sovereign Arab Islamic state with Islam as its religion; God’s Book and the Sunnah of His Prophet, (God’s prayers and peace be upon him), are its constitution’. In the same respect, Article 7 of the Basic Law reads ‘The regime derives its power from the Holy Qur’an and the Prophet’s Sunnah which rule over this and all other State Laws’. Furthermore, Article 23 states that ‘The state protects Islam; it implements its Shari’ah’. It is instructive to note that six articles of the Universal Declaration of Human Rights 1948 (UDHR) ‘conform fully to Islamic law, which has long dealt with all the points they raised under its perfect social regulations’. Those include the Articles dealing with privacy and confidentiality and, the right to a fair trial and due process. It cannot be over stressed that in regard to the right of privacy and confidentiality, the UDHR and the Shari’ah are applying in tandem with each other. It is consoling to note that, at the time of its application to become a member of the UN Human Rights Commission, Saudi Arabia had pledged its commitment to promote and protect human rights, authorized the drafting of a national human rights strategy that is based on the Islamic sharia, its domestic, regional and international laws/instruments to which Saudi Arabia is a party, and human rights declarations. Notwithstanding, Saudi Arabia is not yet, a state party to the ICCPR, but it is, to date, a state party to at least 17 other international treaties relating to human rights, many of which contain relevant elements of the right to privacy and confidentiality. It is also a state party to the Arab Charter on Human Rights and a signatory to the OIC’s Cairo Declaration on Human Rights in Islam. Meanwhile, international human rights can only be recognised under Saudi Arabian law if they are deemed compatible with the Shari’ah rules. Since the Shari’ah contains rules that are interpreted as being incompatible with the IHRLs, two approaches could be considered in order to resolve the conflict between the two. This could facilitate the joining of Saudi Arabia to the ICCPR.
Firstly, it is necessary to ‘adapt’ the Shari’ah to fit modern requirements but with the risk of inconsistency with the conservative Islamic legal theory and with the chance of eliminating the conflict between the Shari’ah and the IHLRs. This is a necessary move if Saudi Arabia is to be able to comply with the international norms set out in the IHRLs. But will this modernists’ approach ever be accepted as legitimate, i.e. will they be viewed as conforming to the Shari’ah precepts? The second option is to make reservations on particular Articles of the IHRLs in order to reconcile it with the Shari’ah.This would place the Government of Saudi Arabia in an impossible dilemma because, it cannot ratify and honour, for instance, the IHRLs without violating the Shari’ah, which is still to date central to both the Saudi Arabian constitution and the Saudis’ way of life. Conversely, it cannot also modify its obligations under the IHRLs without violating the object and the purpose of the Covenant, thereby resulting in a stalemate situation. In facing this inescapable reality, Saudi Arabia will either have to go back to its original stance based upon the argument of the relativity of the values protected by the IHRLs or, liberalise its interpretation of the shari’ah and/or a make radical modifications to its constitutional and legal systems in order to comply with the spirit and standards of the IHRLs. Despite the seeming hopelessness of the situation, the UN human rights system has significantly provided the necessary environment, for empowering and legitimising other forms of influence. Saudi Arabia may adopt international conventions into their domestic laws if they are not inconsistent with the Shari’ah. In such discussions on possible adoption, the question that begs for an answer is, is Saudi secular or theocratic? In a recent study, the author related a historical anthropologist’s (Madawi al-Rasheed’s) definition of the current Saudi monarchy as ‘politically secular, and socially religious’. Secularism is defined here as the separation between religion and politics or between governmental practices/institutions and religious beliefs. However, other studies on the Saudi state often emphasise the fusion of religion and politics. Saudi constitutional law and its judicial system rest on traditional Islamic legal principles: the Qur’an and Sunna form its constitution and Islamic Fiqh supports the laws of the state. In such a discourse, one may not overlook the role of the Ulama (Islamic scholars). Al-Rasheed had further argued that the de facto separation between religion and politics in an otherwise highly Islamised public sphere has arisen as the official Wahhabi ‘ulama’ have taken on the role of guardians of the social order, all the while relinquishing any political authority to the ruling family and state machinery. Hence, the use of the connotation ‘theocratic unitarian state’ regarding Saudi Arabia by earlier generations of scholars is misleading, al-Rasheed stresses. Her observations about (what she calls) the ‘enigmatic duality’ challenges the long-standing notions about Saudi Arabia as a theocracy. Studies on the Saudi state often emphasize the fusion of religion and politics. Therefore, whether theocratic or secular, a necessary move is for Saudi Arabia to comply with the international norms set out in the international human rights laws, but would they still conform to the Shari’ah precepts? It appears that despite its giant strides in attempting to rationalise with the international human rights laws, the subservience of the Saudi constitution to the Shari’ah would continue to, in the ‘Western view’ impede the adaptability and full integration of the Saudi laws into the international human rights system unless some liberal approach to canon of interpretation is adopted. Apart from the general application of Islamic law, Royal Decrees enact legislations, which are in the form of statutes and regulations that apply as subsidiary sources of law. Generally, formal laws in the Western sense are comparatively few in Saudi Arabia. While this can, to some extent, make it easy for a flexible interpretation of law and tradition, it can conversely make it difficult to determine the actual scope and position of the law, especially in a system not strictly based on judicial precedents.
Conversely, it may also help, as Mashood Baderin rightly observed, if only some of the international human rights interpretations ‘not take Islamic values into consideration’. This arrangement may facilitate a seamless application of international law according to Saudi Arabian domestic law, without the usual conflicts with the Shari’ah, to which Saudi Arabia is obliged to adhere
3.5.2. Impediments to Possible Adoption of IHRL into Saudi Domestic Laws: The Supremacy of the Shari’ah
Despite its recent moves and engagements towards possible adoption of the IHRL, some factors may still impede the speed such process. One of such factors include its relationship with the Shariah. As stated earlier, the Shari’ah is the expression of God’s will. Therefore, Muslims believe that, in order to please God in this life and to win His mercy and His promised heaven in the hereafter, it is essential to adhere to His law. In Islam, man does not possess the authority to create the law as this privilege belongs exclusively to God Almighty. His law, furthermore, is, according to Islamic legal theory, immutable and valid for all time and all human beings. It is stated in the Qur’an: Then We put thee on the [right] way of religion: so, follow thou that [way], and follow not the desires of those who have no knowledge. For the sake of emphasis, despite the introduction of the Basic Law in Saudi Arabia, it is the Islamic Shari’ah that remains the supreme law of Saudi Arabia. It follows, therefore, that if Saudi Arabia is to ratify any international treaty or introduce any law for that matter, it can only do so if it is interpreted as being consistent with the Shari’ah. If this is not the case then that law will have no force or effect, and consequently will not be applied by the judiciary in cases brought before them. This fact is made explicit by the Basic Law, as Article 48 states that: The courts will apply the rules of the Islamic Shari’ah in the cases that are brought before them, in accordance with what is indicated in the Book and the Sunnah, and statutes decreed by the Ruler which do not contradict the Book or the Sunnah. The Basic Law is not new legislation but the codification of existing laws. The Saudi Basic Law of Government, which contains a chapter on rights and duties was not considered by the ruling authority as new legislation (tashri‘) per se, but rather as a codification (taqnıˆn) of what already existed within the Islamic Shari’ah applied in the Kingdom.It is clear therefore that, the Saudi Arabian law, as long as it proclaims the Islamic Shari’ah to be the supreme law of the land, and it is considered superior to man-made laws including international human rights laws. Following from this, in order for international human rights laws to be applied domestically in an Islamic state, the law must not be at variance with the Shari’ah. Considering that the Shari’ah is not explicit for all the cases, and it is important that where new cases requiring an interpretation of the Shari’ah arises, an interpretation compatible with the tenets of Shari’ah is applied. As such, when codifying the Shari’ah and adopting the doctrine of talfiq in the exercise of ‘ijtihad,’ the form suggested by the modernist movement is not followed as doing so would amount to distortion and secularisation of the Shari’ah.
3.6 Conclusion
This thesis reckons that patient confidentiality forms part of the universally acclaimed human right to privacy and confidentiality. This is as declared in the UDHR instrument, upheld under the various UN conventions and affirmed by several regional charters, including, for example, the ECHR and the ACHR. These instruments purport to guarantee the right to privacy and confidentiality and have made provisions to prevent state organs and individuals from abusing these rights. The shari’ah has been misinterpreted or misunderstood to be against human rights. Consequently, the Shari’ah concept of human rights is being interpreted in some quarters as running in parallel to those obtainable under the international human rights laws in some cases. This has triggered the formation of alternative Islamic declarations on human rights like the UIDHR, the CDHRI and the ACHR in which the recognised source of law is Shari’ah and not secular laws. Given their peculiarity and the lack of structures for enforcement similar to those obtainable in secular jurisdictions, e.g., Europe, where the ECtHR enforces the ECHR and observes strict compliance to the triple tests introduced in section 2.4. of this thesis, the Shari’ah-based regional instruments fall short of the so-called acclaimed international best standards. The view of this author is, however, that compatibility with the tenets of Islamic law should be considered as the best standards as far as Islamic states are concerned. It has been argued in this chapter that despite Saudi Arabia’s affirmation of the UDH through the Arab Charter, the Saudi Arabian legal system is still founded on, and is heavily influenced by Shari’ah law such that Shari’ah law defines the human rights under Saudi laws. It is worthy to note that protecting patient’s confidentiality is vital under both the Islamic and Saudi laws. The culmination of these factors makes the Saudi Arabian society a culturally sensitive one wherein privacy and confidentiality are paramount. It is not a surprise that a breach of patient confidentiality is considered a crime under the Saudi Arabian laws. The next chapter of the thesis explores and examines the core Saudi Arabian laws on privacy and confidentiality.
Chapter Four The Saudi Laws On Privacy And Confidentiality
4.1 Introduction
The Saudi legal system provides for constitutional and other statutory protections for privacy and confidentiality. However, the vexed question arises: is the protection for confidentiality in Saudi Arabia dynamic? Law is ‘a lasting social institution, but it must also be able to change’ to keep pace with the dynamics of society. This is because each time that a law is produced to match the world, a world is produced to match the law and vice versa. These dynamics may include challenges of governance from terrorism, crime and epidemics. Others in the context of this research include the challenges posed by the technological advancements in patient information management systems and the evolution of diverse social media networks. These challenges, among others, have resulted in creating difficulties in maintaining the duty of confidentiality as the information gathered tends to become more prone to unlawful disclosures to third parties in such insecure settings. Therefore, to answer the research question on the adequacy of the legal protection to patient confidentiality, it is imperative to review the existing laws and see if they provide adequate safeguards against arbitrary abuse of the right to patient confidentiality as enshrined in international human rights laws. For this purpose, the study categorises the laws on the protection of patient confidentiality into three: comprehensive laws (for example, human rights to confidentiality), sectoral laws (for example, specific laws on data protection), and informal rules or soft norms (for example, professional codes, regulatory guides among others.). The aim here is to assess whether the law protects the patient’s right to confidentiality in the light of evolving technologies and information management systems. Under the comprehensive laws’ category, this author reviews the available laws that deal with the general concept of privacy/confidentiality and the professional relationships which give rise to a legal expectation of privacy or confidentiality. These laws ensure the availability and application of the right to patient confidentiality as a fundamental human right. Some of the laws under this category include constitutional provisions and other statutes that made provisions for privacy and confidentiality. Those in this category include the Basic Law of Governance, the Anti-Cybercrime Law, and Telecommunications Law etc. In the healthcare services, the patient is required to share confidential information with co-HCPs so that the latter can process and utilise that information in order to diagnose and treat the patient’s illness in a more efficient manner. Here, the thesis reviews some scattered provisions of the sectorial laws, from different statutes and legislation related to healthcare delivery and health-related research. The legislation includes the Law of Practising Healthcare Professions, the Law of Private Laboratories, Health Law, and the Law of Private Health Institutions. Others include the Law of Trading in Breastfeeding Substitutes, and the Law of Fertilization, Utero-Foetal and Infertility Treatment Units. The last category of the relevant laws considered is the so-called ‘soft norms’ such as practice guidelines as well as social customs and norms of professions. It is very interesting to note that under the Saudi Arabian jurisdiction, there exists a unified professional governing body for all healthcare professions with centralised administration. Therefore, there is only one principal law that governs the practice of all healthcare professions and one ethical code of practice for all healthcare professions. This is quite unlike most of the other jurisdictions that usually have separate professional bodies with separate laws establishing them, and each body licensing their respective professionals and providing for their practices. For example, under the UK jurisdiction, the Nursing and Midwifery Council, the Pharmacy Council, and Medical and Dental Council, among others, respectively regulate the nursing, pharmacy and medical professional practice in the UK. However, this chapter reviews only the comprehensive laws on privacy and confidentiality and tests them based on the triple test of legality, legitimate aims and proportionality. The laws reviewed are the Basic Law of Governance (constitution) and some selected statutes that have an impact on privacy and confidentiality rights.
4.2 Review of the Saudi ‘Comprehensive’ Law on Right to Confidentiality
It is important to reiterate that there is no established comprehensive data breach notification or data protection law in effect in the Kingdom of Saudi Arabia that is in pari passu with what is obtainable under the Western jurisdictions, for example, the UK. This reinforces the argument that the spectrum of current Saudi law, which relates to the confidentiality of personal information, is limited. The available legislation that protects confidentiality does not place privacy or confidentiality as their primary objectives. Section 4.2 of this thesis attempts to review the available and applicable laws as they relate, generally, to privacy and confidentiality.
4.2.1 The Basic Law of Governance
No matter how effective international human rights laws may be, the national governments are ultimately responsible for enforcing and guaranteeing the protection of human rights domestically. The relevance of the international instruments to national law and practice must be the starting point for any analysis of their impact on the national laws. Although Saudi Arabia endorsed the UDHR through the Arab Charter, and the substance of its domestic law does not accurately reflect the spirit of the Declaration. The research question is, how adequate is the legal protection of patient confidentiality under the Saudi Arabian laws? To answer this question in the subsequent sections of this thesis, the author examines the Saudi domestic laws in the light of the triple tests of legality, legitimate aim and necessity/proportionality introduced in section 2.3 of this thesis. The results of the triple test would show if any justification to the breach of the right to privacy or confidentiality is not only legal or according to a validly enacted law, but also that it is proportionally necessary for the pursuance of a legitimate aim, and provides for adequate safeguards against arbitrary abuse. The question begging for an answer here is this: is the protection of the right of confidentiality that is accorded under the Saudi legal system comparable to those under the international human rights laws? While this author attempts to answer this question in the subsequent sections, it should suffice to state here that the level of conformity (if any) by Saudi Arabian legal system is heavily influenced by the level of consistency (if any) of any such international instrument with the Islamic law (Shari’ah). As discussed earlier on in Chapter 3, the Saudi Arabian (Constitution) Basic Law provides that, the State shall protect human rights ‘in accordance with the Islamic Shari’ah.’ Note that neither the UN Declaration the Arab Charter nor any other covenant or convention explicitly provides that the application of the human right is subject to any sectional, religious or regional law. That seems to be the main exception to the application of the principle of universality of human rights. The Shari’ah precondition arises from the fact that the Basic Law itself declared that the Shari’ah is the very foundation and mainstay of the Saudi Arabian law, and any inconsistency with the Shari’ah would vitiate that other law to the extent of that inconsistency. The Basic Law provides that, ‘the powers to rule the Kingdom of Saudi Arabia emanate from the Book of God and the Sunnah of His Messenger, both of which prevail over this and all other laws of the state’ Saudi legal system has also relied on Shari’ah principles when interpreting and implementing of secular international human rights laws. The Basic Law, however, contains a list of only a few clear rights and not all possible rights are available under the Sharı’ah or the general principles of Islamic law. Nevertheless, a major feature of the Basic Law in modern constitutional terms is that it makes a definite statement on the obligations of the state to protect certain rights of individuals. Furthermore, the Basic Law (constitutional) provision appears to reiterate and reinforce ‘the notion that there is no place for human legislation in an Islamic system.’ However, it is noteworthy that since there is no specific definition of what are the scope/limits of the ‘Shari’ah’, the uncodified Saudi law and the legal sources could be open to a variety of interpretations and ambiguity. King Fahad explained the distinctive nature of the Shari’ah-based Saudi Basic Law in its contradistinction to a democratic system, thus: The democratic system that is predominant in the world is not a suitable system for the peoples of our region. Our people's makeup and unique qualities are different from those of the rest of the world. We cannot import the methods used by people in other countries and apply them to our people. We have our Islamic beliefs that constitute a complete and fully integrated system... In my view, Western democracies may be suitable in their own countries but they do not suit other countries. Because of the dynamism portrayed by the current Crown Prince, it is still left to be seen if this assertion fully reflects the current stand of the Saudi stand on human rights. However, critics have argued that schemes like the Arab Charter and the Saudi Basic Law are designed to shore up the political interests of those promoting them and have only a tenuous connection to Islamic culture. Also, others have pointed out that the Basic Law itself falls below the already inadequate standards of the Cairo Declaration. Although completely unconnected, the remarks made by the Dalai Lama after his meeting with the Non-Governmental Organisations at the Vienna Human Rights Conference took a different perspective from the one made by King Fahad regarding the universal application of the concept of human rights. In his speech, this quintessentially Asian religious figure focused on individual human beings who are the intended beneficiaries of international human rights, and offered this assessment:
As far as human rights are concerned, whether Easterner, or Westerner, Southerner, or Northerner, white or black or yellow - no matter - all individual human beings have the same rights from birth to death. We are all the same. The Basic Law provided support for the right of privacy, obviously, over that of freedom of expression; Article 39 of the Basic Law of Governance provides that: Mass and publishing media and all means of expression shall use decent language and adhere to State laws and that whatever is injurious to the honour and rights of man, shall be prohibited. It also broadly provides for privacy and confidentiality, because of the highly conservative nature of the Saudi society where privacy is extremely important due to cultural beliefs: Correspondence by telegraph and mail, telephone conversations, and other means of communication shall be protected. They may not be seized, delayed, viewed, or listened to except in cases outlined in the Law. This provision has encompassed both the positive and negative duty of protecting privacy and confidentiality. It undertakes to ensure the protection of confidential information, and will not (or allow others to) breach this right except under certain circumstances as provided by laws. The Basic Law itself does not state what these exceptions are, but different other laws have stated certain exceptions under which infringements of human rights may be justified. As discussed infra, as part of the triple test, the study compares such exceptions under the Saudi laws to those available under the international human rights laws, e.g., Article 29(2) of the UDHR, 8(2) of the ECHR, and Article 24(7) of the Arab Charter, 2004. Applying the triple elements of legality, legitimate aim and proportionality tests, the author submits that the Saudi Basic Law could partly pass the legality test on the basis that the exceptions are duly provided by or according to a domestic law validly established under Article 40 of the Basic Law. It is noteworthy that the law envisaged is a Shari’ah law and not the international human rights law. However, since the exceptions are not explicitly laid down in the Basic Law itself, a review of those exceptions under some of the laws reviewed in the next sections could reveal if they satisfy the requirements of providing legal sanctions, precision and foreseeability. Conversely, the Basic Law would also pass the legitimate aim since the grounds for the exceptions are consistent with the legitimate aims listed under articles 29(2) of UDHR, 8(2) the ECHR, and 4(a) of the Arab Charter. The test for proportionality of the exceptions is considered under the specific laws allowing for justification for the infringement of the right to privacy and confidentiality in the following sections.
4.2.2 The Anti-Cybercrime Law
The Anti-Cybercrime Law is one of such laws that deal with the increasing use of personal information in Internet-based applications, which has created privacy concerns worldwide, especially in the Kingdom of Saudi Arabia where there is no uniform e-Privacy Act. The Anti-Cybercrime Law 2007 is mainly concerned with computer-related frauds, spying, defamation using camera operated devices and other related crimes like hacking. It is relevant to the thesis because, several provisions have bearing on the protection of the privacy of individuals, and the Saudi courts have often invoked these provisions when dealing with cases of defamation and breach of privacy using social media. The Law makes it an offence to spy on, to threaten or blackmail any person, to have unlawful access to, or hacking a web site, to invade the privacy through the misuse of camera-equipped mobile phones and to defame and inflict damage upon others using various information technology devices. The following acts are considered a cyber-crime under the Act: Producing and distributing content that ridicules, mocks, provokes and disturbs public order, religious values and public morals through social media will be considered a cybercrime. The law referred to the term privacy but did not define it, or what information is to be considered private. The Anti-Cyber Crime Law of 2007 lists ‘defamation’ as one of the cyber-crimes subject to imprisonment, but fails to define this offence. An offence is punishable with imprisonment for a period not exceeding one year and/or a fine not exceeding five hundred thousand riyals. It is also an offence under the Law for any person to produce, prepare, transmit, or store any material that impinges on public order, religious values, public morals, and privacy, either through the internet or through computers. Without a clear definition of these terms, it could potentially give the judge wide discretion to define them and apply the law as he deems fit. The Saudi Court of Appeal has upheld the lower court’s decision, without any plausible ratio decidendi, that taking a picture of a child and sending it to a third-party constitutes an invasion of her privacy under this law, capable of defaming her or causing other damage to her. Such offences under this law shall be punishable with imprisonment for a period, not more than five years and/or a fine of not more than three million riyals. These provisions appear to be very efficient in deterring individuals from invading the privacy of others, or in protecting their confidential information. However, in all cases, the courts are empowered to enter a plea bargain with the accused person and exempt him from punishment if he reported the crime, suo moto, before being discovered by the law enforcement agencies, and before any harm is occasioned therefrom. The accused person may still be granted an exemption even where he reports after the fact if his report helped in arresting his accomplices. It is glaring that the law has made the breach of privacy and confidentiality through electronic media an offence punishable with imprisonment and/or fine, which serves deterrence to potential offenders. Conversely, it is possible to hold the view that the law may also encourage impunity as it allows offenders to escape punishment by merely informing the authority even after the commission of the offence if it helps to apprehend other possible accomplices. Interestingly, the law does not provide for specific safeguards to prevent the abuse of these exceptions. For instance, apart from just informing the relevant security authorities, what other preconditions are there to satisfy in order to qualify for a plea bargain under Article 11 of the Law? The conditions one may infer from the current position of the law are: that the offender ‘informs’ the authorities before or after the commission of the offence, and secondly if the information helps to apprehend the other accomplices. The law does not take cognisance of the nature of harm or damage suffered by the aggrieved person, the mens rea of the offender and any other relevant issues. Therefore, it is the view of this author that the law does not provide an adequate safeguard against arbitrary interference. Furthermore, the complication arising in the Saudi jurisdiction concerning the application of human rights laws is the ambiguity and uncertainty in the interpretation of the law by the courts, which could portent the risk of injustice. The lack of a system of stare decisis under the Saudi Arabian legal system could potentially give unduly wider latitude of discretion to the Saudi Arabian courts while interpreting data privacy violations. For instance, under the Anti-cybercrime law, a criminal court reportedly convicted and sentenced a woman on charges of defaming another person on social media and punished the offender with a term of imprisonment for two months, the payment of a fine of 20,000 riyals and 70 lashes. This judgement was passed even though the Anti-Cybercrime Law does not provide for lashing as a punishment under that statute. Also, recently a man who had threatened to post ‘intimidating’ pictures of a woman on social media was arrested under the Saudi Anti-Cyber Crime Law. These incidents further emphasise the concern about the lack of precision and clarity of the laws.
4.2.3 Other Related Statutes on Privacy and Confidentiality
Another similar law is the Telecommunications Act of 2001, which is intended to regulate the telecommunication industry with the goal, among others, of ‘safeguard(ing) the public interest and the user interest as well as maintain the confidentiality and security of telecommunications information.’ It also prescribes sanctions for the breaches of privacy in the telecommunication sector. Consequently, it is a violation of the Act to engage in an interception or intentional disclosure (other than during duty) of any telephone call or data carried on the public telecommunications networks in violation of the provisions of the Telecommunications Act. A violation of its provisions may attract a fine of up to five million Saudi Riyals and any party who is unsatisfied with the decision of the Commission may appeal to the Minister. An opportunity for a further appeal lies to the Board of Grievance. The Regulation in Article 56(1) states that a service provider shall not disclose information other than users’ name, address and telephone number without prior consent from the users or otherwise required by law. It also requires taking all reasonable steps to ensure the confidentiality of users’ communication (article 57 (1)). Article 58 (2) and (3) of the Regulation mandates the operators of telecommunication facilities and networks to respect the privacy of users. It provides: A service provider shall operate its telecommunications facilities and telecommunications network with due regard for the privacy of its users. Except as permitted or required by law, or with the consent of the person to whom the personal information relates, a service provider shall not collect, use, maintain or disclose user information or user communications for any purpose. The Regulation also states that a user’s information shall not be collected without informing the user about the purpose for which the information is collected. Furthermore, it also prohibits the collection, usage, maintenance and disclosure of personal information for undisclosed purposes without the consent of the data subject. However, the provisions of the law and its executive regulation are still vague. This is because both the law itself and the regulation do not expressly state whether the service providers must have valid and reasonable purposes for collecting, processing or storing such personal data. It is not surprising, therefore, that the privacy policies of the major telecommunication companies indicate that they arrogate themselves to the right change their respective policies anytime, and without any indication that they would notify the user, if they do change their privacy policies. However, the Regulation allows concern on government agencies to exercise their rights to access otherwise confidential information relating to a user, provided that such access is made in accordance with the laws of the Kingdom. This is re-echoing the provisions of the principal law to the effect that under the Act, it is not permitted to disclose, listen to or record telephone calls and information transmitted or received through public telecommunications networks, except for the cases stipulated by law. It is imperative to note that the position of the Act is in tandem with the Basic Law of the Kingdom of Saudi Arabia (Constitution) which provides as follows: Correspondence by telegraph and mail, telephone conversations, and other means of communication shall be protected. They may not be seized, delayed, viewed, or listened to except in cases set forth in the Law.(Emphasis supplied) Similarly, the Electronic Transactions Law aims to facilitate the procedures for the use of electronic means in transactions, without prejudice to the provisions of any other existing laws. Electronic transactions, just like the conventional transactions, have some bearing on privacy and confidentiality. The law in article 1(11) defines ‘electronic data’ as data with electronic features in the form of texts, codes, images, graphics, sounds or any other electronic form, either collective or separate. Article 18(5) requires the certification authority to maintain and ensure that their staff maintains the confidentiality of information obtained in the course of a business unless authorized by the certificate holders. This authorisation must be either in writing or electronic form. An oral authorisation is not considered as authorised under this law.
Additionally, Article 4 of the law states ‘Nothing in this Law shall compel any person to use electronic transactions without his implicit or explicit consent.’ Generally, there is no statutory requirement for organisations to maintain adequate security for the confidentiality of personal information that is acquired or stored according to this law or regulation. Many people willingly disclose their names to people they do not know, but only a few are willing to disclose health information to strangers unless there are strong guarantees that such information will be kept confidential and used only for the purpose agreed to by the data subject. In principle, there should be very stringent rules in the Saudi Electronic Transactions Law to apply to process sensitive data, for example, relating to the racial or ethnic origin, political opinions, religious or philosophical beliefs, data concerning health or, sexual preference. Supposedly, such data should not be processed. Under this law, retailers are not at liberty to keep consumers’ data for ‘longer than necessary.’ Also, vendors shall not use or share with third parties, consumers’ private data without their consent. What is still unclear is whether data should be deleted immediately after the transaction had been completed and delivered or kept in databases and, for how long the data should be kept. However, the executive regulation stipulates that if any laws or regulations specify time or duration of data retention, data have to be kept safe for that duration. In the case of violation of this law, the aggrieved person who can show that he/she has sustained damage has the right to claim damages before a competent court. Given the lack of unanimity among the scholars and the lack of judicial precedence on the eligibility of an aggrieved person to obtain compensation for moral damages, the aggrieved person has to consider this reality before deciding on venturing into a legal suit that they might almost certainly end up losing. Furthermore, because information privacy violations often lead to moral damage rather than material damage, it might be difficult for the harmed party in Saudi Arabia to seek and obtain compensation for information privacy violations. If a person’s personal information has been compromised and he/she can prove that the harm occurred after a violation of one of the Saudi regulations or Sharia law, the person who suffered the harm may not receive any compensation. Similarly, the Civil Service regulation in Article 12 prohibits civil servants from disclosing secrets or confidential information they acquired while at work. Under the Saudi Law of Terrorism Crimes and Financing, the Minister of Interior or his designee, if deemed useful, has the power to issue a warrant, in relation to a crime under the Law, to enter into, and search homes at any time within the validity of the warrant. In certain exigencies, a search warrant may be dispensed with, if grounds have been established for such exigency. There are other similar provisions related to access to banking data and requiring the banks to provide such access to investigators of the crime of financing terrorism. Where an accused person cooperates with the investigator and helps in apprehending the accomplices of said crime similar crime, the Minister of Interior may stay his prosecution or order his release if the Minister has reasonable ground to do so. It is precisely in situations of crisis, such as those brought about by terrorism, that respect for human rights is even more important, and that even greater vigilance is called for. Considering that terrorism seriously jeopardises human rights, threatens democracy, and aims notably to destabilise legitimately constituted governments and to undermine pluralistic civil society, it reaffirms the imperative duty of States to protect their populations against possible terrorist acts.
When the fight against terrorism takes place in a war or public emergencies that threaten the life of the nation, a State may adopt measures temporarily derogating from certain obligations ensuing from the international instruments of protection of human rights. This derogation shall be to the extent strictly required by the exigencies of the situation, as well as within the limits and under the conditions fixed by international law. The State must notify the competent authorities of the adoption of such measures in accordance with the relevant international instruments. Within the context of the fight against terrorism, the collection and processing of personal data by any state authority may be justified only if such is governed by appropriate provisions of domestic law; proportionate to the aim for which the collection and the processing were foreseen, and is subject to supervision by an external independent authority. In the fight against terrorism, any measure that interferes with privacy must be provided for by law, and it is subjected to challenge before a court.
4.3 Conclusion
The fourth chapter features a review and analysis of different pieces of legislation that offer protection to the human right to privacy and confidentiality. This reiterates the initial submission in chapter one of this thesis that a single and comprehensive data protection law is lacking in the Saudi jurisdiction. The emphasis here is that these laws/regulations derive their source from the Shari’ah. These laws form the bedrock for safeguards to the generic right of privacy and confidentiality but are not specifically providing for confidentiality of sensitive health information that is collected, processed and possibly shared by team members within the healthcare systems for patient care. Other laws provide for health-related issues, which also involves the collection, processing and sharing of patient’s confidential information. The highlight of the chapter is the need for holistic protection of confidentiality rights as well as ensuring that where the right to confidentiality is limited, it should at least meet with accepted international standards. It is hereby effective to discuss confidentiality rights in general in this chapter and the next chapter deals with the specific right of the patient to confidentiality.
Chapter Five Saudi Arabian Laws On Patient Confidentiality Rights
5. 1 Introduction
Even though Saudi Arabia has several pieces of legislation purporting to offer protection for patients’ confidentiality, there is yet no comprehensive data protection law for the country that regulates the HCP-patient relationship and disclosure of private health information. The identified laws are discussed in this chapter. They include the Law of Practising Healthcare Profession, the Mental Health Act, Private Laboratories Law, the Law of Units of Fertilization, Utero-Foetal and Infertility Treatment and the Saudi Law of Ethics of Research on Living Creatures. These laws will be discussed in sections 5.2 to 5.7 below:
5.2 Law of Practicing Healthcare Professions
The Law of Healthcare Professions provides for a broad spectrum of rules on the duty of HCPs. HCPs among many other duties are obligated to maintain their patients’ confidentiality in the following words: A healthcare professional shall maintain the confidentiality of information obtained in the course of his practice and may not disclose it except (as provided by the law) … The Royal Decree No. M/59 of 1426H identifies HCPs to include: Any person licensed to practice a healthcare profession, including the following categories: physicians, dentists, pharmacists, health care technicians (in radiology, nursing, anaesthesia, laboratories, pharmacy, optics, epidemiology, artificial limbs, physiotherapy, dental care and prosthodontics, tomography, nuclear medicine, laser equipment and surgery), psychologists and social workers, dieticians and public health specialists, midwifery, paramedics, speech therapists and audiologists, occupational rehabilitation and therapy, mediocre physics and other health professions to be agreed upon by the Minister of Health and the Minister of Civil Service and the Saudi Commission for Health Specialties. The Royal Decree requires HCPs to serve the interest of the patient and the society while at the same time respecting the patient’s dignity and customs. The minister of health is empowered by this law to issue an Implementing Regulations for the Royal Decree and to issue decisions and directives necessary for the implementation of the Decree. One very important omission from this law is the lack of a definition of what is meant by the duty of confidentiality or confidential information. It is imperative to state that the lack of a clear definition of confidentiality or confidential information in the principal law could potentially lead to an ambiguity in the interpretation of the law and may give a wide room of discretion to the court when faced with an interpretation of the term. Hence the fact of the existence of a duty of confidentiality on the part of the HCP is sometimes left to the judge’s discretion. For example, a judge presiding over a tort case may exercise discretion to establish a legal duty. The breach of the duty under the Shari’ah occurs when anyone with a duty fails to act or even intends to default. A violation of the Law of Healthcare Professions constitutes a crime which attracts a fine of 20,000 Riyals or less. In addition, Article 31 of the Law provides for a disciplinary liability for defaulting in any professional duty created under the law or for violating the relevant code of professional conduct or ethics. The disciplinary penalties may include a warning, a fine not exceeding 10,000 Riyals or revocation of the license for practice and a further ban from re-registration for two years from the date of revocation. However, the patient whose right was proved to have been breached may not have a civil right of action. The Shari’ah-based Article 27 of the Law, which provides for the civil liabilities of the HCPs does not include the breach of confidentiality as a civil wrong as known under the common law for instance. It is also noted that, under the Shari’ah, monetary compensation is not the only available remedy to recompense harm sustained. Other alternatives such as punishment or apology are also available. One of the guiding principles in Shari’ah in this regard is that, there should be neither harming nor reciprocating harm. However, physical harm attracts liability for compensation, whereas emotional distress without physical harm attracts punishment. Therefore, the Saudi courts have determined that the remedy for tortious conduct is monetary compensation for material harm while the penalty for moral harm is punishment.A good example is the cases of harm resulting from emotional distress without physical injury where the tortfeasor has hurt someone’s feelings; he or she will be punished by lashes at the discretion of a judge. Alternatively, the tortfeasor may have to apologise or withdraw what he said by telling the truth if he had told a lie about the victim. This would seem to be a clear departure from the conventional laws of tort where apology or withdrawal of statement do not constitute remedies for emotional distress resulting from the tortfeasor act unless the aggrieved person expressly waives such right or by accepting to withdraw the complaint. Nevertheless, under the Code of Criminal Procedure, although the public prosecutor has the responsibility to prosecute criminal cases before the courts, a victim who has suffered from crime has the right to initiate a criminal proceeding before the court in cases where the law grants special rights. He could, under this law, initiate such proceeding on his right and independently of the public prosecutor's decision to prosecute and even if his application was not accepted during the investigation.
Where an aggrieved patient has submitted a claim for compensation to the competent court and the public prosecutor subsequently files a general criminal case against the same accused person, the patient may refer the court to the issue, unless the prosecution is closed. The public prosecutor cannot withdraw any claims brought by a victim unless the victim himself waives his right to continue with the proceedings. Moreover, where the public investigator is convinced that there is no reason to proceed with the investigation, the officer may recommend stopping the investigation, if he notifies the private right claimant of his decision. Despite the perceived deficiency for the lack of civil right of action in breach of patient confidentiality under the Law of Practising Healthcare professions, the provision under the Code of Criminal Procedure may be regarded as a compensation for that deficiency. As it is, although a breach of patient confidentiality is a crime under the Saudi Arabia jurisdiction, some form of redress is provided for the aggrieved patient. This is not provided by recourse to a civil suit but as a part of the criminal proceedings. Notwithstanding, a patient who has suffered physical harm can initiate a criminal proceeding. It is important to note that the protection for patient confidentiality under the Royal Decree is not absolute. The provisions are subject to limitations provided for under Article 21. As such, certain disclosures may be allowed under the law. For example, where a statute provides for a legal duty to disclose a piece of otherwise confidential information under some defined circumstances, it would not constitute a breach of confidentiality if the HCP discloses confidentiality information under such situations. In the same vein, the private health institutions in Saudi Arabia are required by law to report to the relevant authorities all crime related incidents or deaths and infectious diseases presented at their institutions. Health institutions are required to keep a full record of all traffic accidents and injuries. A violation of these requirements could result in penalties that could include a fine of between 10,000 and 100,000 Saudi riyals, closure of the private health institution for a period up to sixty days, or the withdrawal of license and a ban from the new licence for a period of at least two years from the date of withdrawal. These provisions are similar to the statutory authorisations under other jurisdictions. For instance, the English laws that allow for the reporting of infectious diseases, or statement of the underlying cause of death in a death certificate or notification of birth and deaths and reporting of suspected child abuse. There are also circumstances where disclosure is permitted in the patient’s interest. For example, section 60 of the Health and Social Care Act 2001 empowers the Secretary of State to authorise the processing of patient data in the interests of patient care and public health. Again, an HCP may be compelled to divulge confidential information in court during proceedings where they are summoned to give evidence. The HCP cannot claim privilege to keep professional confidence otherwise they may be found guilty of contempt of court.
5.3 The Mental Health Law
The Saudi Arabian Mental Health Law is intended to among others, regulate and promote mental health care services required for psychiatric patients as well as to protect the rights and dignity of psychiatric patients, their families and the community. This law requires HCPs involved in the care of such patients to protect the confidentiality of their personal information except as provided thereunder. The exceptions to the duty of confidentiality under the law include the request of a supervisory board for mental health care; the request of judicial or investigation authorities (stating the purpose for the request); for treatment purposes to maintain a continuum of care; or due to imminent threat to them or others. A breach of this duty could attract a penalty of imprisonment for a period not exceeding three months or a fine not exceeding fifty thousand riyals, or both. One particular point must be made regarding disclosure to guardians or relatives of psychiatric patients without the requisite mental capacity. In such cases, the Law authorises the healthcare providers to notify the patient’s relative about the progress of the patient’s conditions and to involve them in the decisions on the course of treatment. The relatives are mandated to give consent or file complaints or grievances on behalf of the mentally incapable patient, as needed.
5.4 The Private Laboratories Law
Maintaining the confidentiality of laboratory data is a critical component of routine pathology practise because it involves the collection, analysis, storage and nowadays the electronic transmission of patient’s data across different electronic platforms. Therefore, laboratories should take legal responsibility for securing the confidentiality of the patient’s private data both electronic and otherwise. The most problematic types of laboratory examination and reporting is the genetic examinations and autopsies especially those involving stigmatising condition where the most common problem is maintaining confidentiality among others. The confidentiality issues are especially problematic when it involves the disclosure of the true cause of death or when giving expert testimony. In such situations, considerations include the obligation to maintain confidentiality even after the death of the patient. At the same time, there may be public health concerns that justify limited disclosure of a deceased person's human immunodeficiency virus status. The Private Laboratories Law regulates the licensing and practises of private medical laboratory services outside of the hospital setting. The law itself does not expressly provide for the duty of confidentiality or the grounds under which disclosure could constitute a breach and the exceptions that could justify an otherwise unlawful disclosure. The law only requires private laboratories to keep records of test results for a period not less than five years for reference, when needed. Although this may seem to be a major omission, it could also be assumed that, the provisions of the principal law i.e. the Law of Practicing Healthcare Professions (including laboratory practitioners), will, by extension and implication, apply to the practice of medical laboratories, whether it is a private or governmental setting. With the increasing connectivity of laboratory systems and devices to the Internet and wireless networks through computers and mobile devices, the demand to continuously protect data in all of its forms, locations and transmissions becomes more imperative. The responsibility of assuring the confidentiality and security of these data rests with the pathology department in collaboration with the information technology department. Unfortunately, the law does not specifically provide for the duty of ensuring the confidentiality and security of the laboratory data. Furthermore, there are no specific provisions for regulating access to or disclosure of data and the lack of sufficient safeguards relating to the data retained. It is also worrisome that, there is no comprehensive data protection law in place to regulate laboratory practice in the Saudi Arabian jurisdiction. Given that pathology laboratories are heavily involved in dealing with patient information for clinical and possibly research purposes, laws, policies and procedures that deal with data protection and security are critical. Although the law is arguably deficient in this respect, the study explores the emerging soft norms in chapter six of this thesis. It is also worthy of note that, the Laboratories Law regulates only private laboratories. It is, therefore, unclear as to how governmental hospital laboratories are to be guided.
5.5 The Law of Units of Fertilization, Utero-Foetal and Infertility Treatment
Infertility is a global phenomenon that places a huge psychological burden on the infertile couple, especially on the woman and it is associated with other psychosocial conditions such as depression, suicidal tendencies as well as other pathologic psychological conditions because of the attendant risk of marriage and family breakdown. Assisted reproductive technology services are growing in demand because they offer additional choices to individuals seeking to achieve parenthood to help achieve that dream. Until the eighties, the adoption of assisted reproduction technology had been resisted in the Middle East mainly for religious reasons until the two major fatwas that allowed its use. Assisted reproduction technology in Saudi Arabia started in 1986 and presently, there are 23 centres across the Kingdom. This technological concept is practised in Saudi Arabia in a strictly religious manner and certain aspects of the technology are completely forbidden. It may be different from the perspective held in the Western jurisdictions with regard to human rights. For example, a US court had held that: If the right of privacy means anything, it is the right of the individual, married or single, to be free from unwarranted governmental intrusion into matters so fundamentally affecting a person as the decision whether to bear or beget a child. Often, conflicting ethical dilemma arises between the respect for privacy and confidentiality of the foetus and the parental rights to information about the foetus. Nevertheless, Saudi law requires that a valid marriage exists between the man and the woman involved before the facility may undertake the procedure. Furthermore, an egg from a woman may not be implanted in the ovum of another woman even if she is married to the same man. Likewise, sperm from a man can only be used to fertilize the egg of his lawful wife only. This differs from what is obtainable under, for instance, the UK Human Fertilization and Embryology (HFE) Act, which allows donation of gametes and surrogacy between parents who may not have been married. Under the Saudi Arabian law, Article 12 of the Law provides: Fertilization, utero-foetal and infertility treatment units shall maintain absolute confidentiality with regard to patients' personal information. No person shall have access to said information except in cases where it is deemed necessary and based on approval of the Supervisory Committee or judicial authorities. This provision is quite similar to Section 33 of the UK’s HFE Act 1990 that prohibit employees, staff, contractors, licensees or others involved in the procedures from divulging any pertinent information to any other third party except as provided under the law. However, by the use of the word ‘absolute’ confidentiality in the Saudi Law, one would not have expected an exception, but the law still provides that disclosure may be made under circumstances that are deemed necessary and approved by the supervisory committee so appointed under the law or the judicial authorities. However, it is unclear the circumstances under which a breach of the confidentiality could be deemed necessary or, upon which the Supervisory Committee may approve such access or disclosure. Although not explicitly referred to as an exception, the Law requires the facility to submit annual reports to the Supervisory Committee consisting of the full statistical report and list of all cases examined and treated. The Supervisory Committee has the responsibility to review such reports and monitor the facility for compliance. The Law does not make any other exceptions for disclosure of any information related to the fertilization under the Law. It may as well be assumed that deemed necessary could denote disclosure to treating team members without whom the treatment would not have been possibly undertaken. In addition, the Law did not specify under what conditions the “judicial authorities” may approve of the disclosure. Furthermore, the term “competent authority” was not defined anywhere in the Law.
A breach of this duty under the Saudi law shall be subject to penalties ranging from a warning, a fine of between 20,000 riyals and 200,000 riyals, or imprisonment for not more than two years and/or revocation of license. The penalty decision is subject to appeal to the Board of Grievances within 60 days from the date of notification. On the other hand, under the UK’s HFE Act, for instance, a person who discloses any information in contravention of section 33A of this Act is: guilty of an offence and liable (a)on conviction upon indictment, to imprisonment for a term not exceeding two years or a fine or both, and (b)on summary conviction, to imprisonment for a term not exceeding six months or a fine not exceeding the statutory maximum or both. Accordingly, the Saudi Law requires the facilities conducting fertilization to document, keep and maintain records of treatment for up to 10 years and be made available to the competent authorities upon request.
5.6 The Saudi Law of Ethics of Research on Living Creatures
The Law regulates the conduct of research on living creatures by any establishment or body within the Kingdom. Furthermore, the Saudi Law of Ethics of Research on Living Creatures aims to protect the rights of the human subject or part thereto, guarantee his safety and dignity and not to harm animals or plants when conducting research. The principles of the Shari’ah, professional ethics, as well as rules and procedures set by the National Committee, are enforced in implementing the provisions of the Law and its Regulations. The National Committee sets standards for biological research ethics and oversees enforcement of research ethics and monitoring implementation thereof. It has exclusive authority: To set ethical controls and monitor implementation thereof to, among others, ensure confidentiality and security of research information. The law defines confidentiality as ‘non-disclosure or passing of any data, information or results related to the research or the human subject, to any third party not connected with the research.’ It also defines privacy as ‘Observing common values, including traditions, thoughts and norms.’ These definitions are by no means consistent with the standard definition of the terms. Under the Law, research on a human being may not be undertaken without an informed consent validly and voluntarily given by the research subject. The ‘Informed Consent’ form should include a statement of the level of respect accorded to the confidentiality of information that may reveal the identity of the subject, along with a commitment by the investigator to secure such confidentiality.The investigator shall maintain the confidentiality of research conclusions, and not identify their source. However, ‘if it is not possible to link information obtained by the researcher from the records or bio-pathological samples with the source person or if the outcomes related to individuals are available to the public,’ or if the samples are anonymised and the local ethics committee gives it approval the consent may be waived. The researcher is required by the law to maintain a patient’s privacy and confidentiality of information of samples taken or results thereof. In addition, article 36 prohibits research that could negatively affect society or that might lead to any kind of discrimination. Accordingly, the Principal investigator is responsible for maintaining the privacy and confidentiality of information of data subjects and shall be liable for any damage sustained by the donors. If local or international researchers are invited to conduct joint research on genetic material, the Principal Investigator shall emphasise the necessity of observing the privacy and confidentiality of information related to donors in accordance with the provisions of the Law and Regulations. The principal investigator may be estopped from the use of research results on genetic material if publishing said results would harm the public interest, subject to the approval of the National Committee. A central data bank shall be established within KACST to maintain information related to genetic material and regulate the use thereof in accordance with procedures specified by the Regulations. Said bank shall provide information for research using genetic material in the Kingdom. The Central Data Bank and the local gene banks shall provide parties concerned with information available on different diseases affecting individuals, families or the community, subject to maintaining the privacy of the genetic material source and barring the possibility to identify the source of the sample. The investigator shall maintain the confidentiality of research conclusions, and not identify their source. Research with negative impacts on society may not be conducted, especially research reinforcing racial discrimination. Conducting research on diseases that are particular among a certain group for treatment and understanding of mechanisms of transmission of said diseases may not be construed as promoting racial discrimination. Scientific results shall not be leaked to the media if this could lead to promoting discrimination based on race or family or tribal affiliation. Results of the research on genetic material shall be the property of the State. Neither the researcher nor the institution may provide said results to any internal or foreign body without permission from the National Committee provided the material and scientific rights of the researcher or research team and the research subject are preserved.
Violations of the law attract punishments that may include either or a combination of a warning, suspension or barring of research, a fine not exceeding 200,000 riyals or imprisonment for a period not exceeding six months.Again, an aggrieved research subject has only to rely on the provisions of the law of criminal procedure to institute a criminal proceeding against the healthcare professional that breaches that confidentiality duty.
5.7 The Cooperative Health Insurance Law
In its attempt to meet the growing health needs of its teeming population, the Kingdom of Saudi Arabia has made significant progress in healthcare insurance. A comprehensive health insurance program that is based on the Shari’ah concept was established and implemented through a newly established Council for Cooperative Insurance. The statute that governs the establishment and operation of the insurance scheme is the Cooperative Health Insurance Law along with its Implementing Regulations. Protecting confidentiality is both complex and challenging in the health insurance arena that would require a robust law to accomplish. This is because health insurance arena is full of opportunities for sharing of private information, some of which are according to explicit legal requirements or insurance carriers’ policies and practices, such as the sending of explanations of benefits when insurance claims are filed and acted upon. These disclosures may result in patients’ information reaching third unintended parties, including family members, even when the patient wants the information to remain private. Any law envisaged should be able to protect confidentiality without forfeiting the opportunity to secure health insurance payments for insured patients. In other words, the law should be able to strike a balance that permits important uses of information, while protecting the privacy of people in need of health care. Because of the diversity of the healthcare industry, therefore, the law should be designed to be flexible and comprehensive to cover the variety of uses and disclosures of the patient’s sensitive information that may need to be addressed. However, neither the principal law on health insurance nor its implementing regulation has made an explicit provision on how to protect patient sensitive information across the border between the insurance companies, the covered healthcare providers, public institutions and other third parties who may be involved in the interconnected web insurance business. The only provision bordering on confidentiality appear to be where the Regulation requires Council members or employees of the General Secretariat to desist from disclosing confidential information obtained in the course of their employment during or after membership or employment. This provision shall apply to any other person obtaining such information from official reports. In the absence of any judicial interpretation, it is unclear if ‘any other person’ in this section includes a staff of the insurance companies and healthcare professionals hired by the healthcare provider. Under the law, the insurance companies are required to employ physicians to monitor the services rendered, and the healthcare providers are required to provide physicians working for insurance companies with all required information and make available all documents necessary for monitoring in accordance with Article (87) of these Regulations. The physicians are allowed to access the hospital wards, offices of medical supervision and medical records of any licensed hospital where a beneficiary was or is being treated when necessary for monitoring, in coordination with the parties concerned. The Law stipulates that all physicians working for insurance companies shall be subject to the Law of the Saudi Commission for Health Specialties, which is essentially concerned with the classification and registration/licensing of professionals rather than their practice. It is argued here that, although it is proper to subject these physicians to the licensing law to enable them to practice, they should also be explicitly subjected to the law of practising health professions. Nevertheless, the professional “physician” is included in the list of professionals to which the law of practising health profession applies.
5. 8 Non-Disclosure Agreement under Saudi Contracts of Employment
HCPs practising in Saudi Arabia, like other workers, undertake to keep work-related secrets confidential under either a non-disclosure or confidentiality agreement or a clause under the contract of employment according to the Saudi labour law. The Contracts of employment specify that HCPs are bound by certain conditions and terms of their employment. Although the Saudi Arabian Labour Law does not specifically refer to patient’s data, it provides that, without prejudice to the provisions of other relevant laws and regulations, the (healthcare) worker shall be required to keep confidential work-related secrets, the disclosure of which is likely to cause damage to the employer’s interests. In such situations, the employer is empowered to terminate the contract without an award, advance notice or indemnity if the worker discloses work-related secrets. The law requires that valid confidentiality clauses must be in writing and specific in terms of time, place, and type of work. Accordingly, an employer may sue an existing or former employee for breach of non-competition or confidentiality undertakings within one year of discovering the violation. The Labour law does not define what constitutes a piece of confidential information that must not be disclosed to third parties. However, many employers of labour have devised and incorporated sector-specific non-disclosure or confidentiality clauses into their standard contracts of employment. For instance, some of the Ministry of Health (MOH) medical cities have developed a confidentiality statement to which staff must pledge to, with the potential consequence of penalties for non-compliance. In line with the Labour Law provisions, the penalty for unlawful disclosure of patients’ confidential data may result in the termination of a contract of employment.
5.9 Saudi Professional Code Ethics on Patient’s Confidentiality Rights
Ordinarily, ethical codes are considered as a form of a soft norm in other jurisdictions. However, under the Saudi jurisdiction, the Ethical Code for Practicing Healthcare Profession has been incorporated into the Law of Practicing Healthcare Profession. Under the Law, a non-compliance with the Code is an offence that may attract a disciplinary punishment. The Saudi Commission for Health Specialties makes the Professional Code of Ethics in its capacity as the regulatory body for all HCPs licensed to practice in Saudi Arabia. This is unlike the practice in other jurisdictions where each health professional is governed by a separate regulatory body, for instance, the General Medical Council, and the Nursing and Midwifery Council respectively regulating medical and nursing practice in the UK. The Islamic law principles of patient confidentiality derive its root from the general principles of privacy and confidentiality. This because Islamic law is considered as a comprehensive combination of moral and positive laws that can easily resolve ethical problems that man-made law cannot solve. Many contemporary ethical issues in medicine are moral and require ethical and religious guidance. Ethics are universal values and there is convergence among many religions and belief systems about these values. Islam differs from others in that ethics is part of its law. This makes the enforcement of medical ethics a religious duty that many Muslim HCPs will respect because it is based on belief and not just coercion. Under the Saudi Arabian system, there is a unified law, regulatory body and professional ethics for the practice of the HCPs. The Saudi Commission for Health Specialties (hereinafter referred to as the Commission) is the statutory body that is responsible for supervising and evaluating training programs, as well as setting controls and standards for the practice of health professions. Therefore, according to the provisions of the Law, the Commission issued the first edition of the handbook on ‘Code of Ethics for Healthcare Practitioners’ in 2003. This is a departure from what is obtainable in many of the other jurisdictions. For instance, as earlier on alluded to, in the UK, the General Medical Council (GMC) regulates the Medical practice, and the ‘Good Medical Practice’ is the professional code that applies. On the other hand, the Nursing and Midwifery Council (NMC) deals with the nursing and midwifery professions, The Code for nurses and midwives are the applicable code of ethics. The Saudi Arabian law of practising healthcare professions requires the practising HCPs to exert due care in line with commonly established professional standards. Privacy issues dominate the discourse of the ethical issues raised in the Handbook of Code of Ethics. It clearly outlines the relationship between the patient and HCPs and discusses the significance of informed consents in that relationship. The Handbook of Ethical Codes clearly describes the duties, rights, obligations and constraints associated with privacy rules, as well as define the conditions precedent that must be satisfied to justify an otherwise unlawful disclosure of personally identifiable information. Ethics deal with well-based standards of how people ought to act. As such, ethical decision-making entails following certain well-established and accepted norms/standards of behaviour. The Saudi Commission claims that the ethical principles laid down in the Code are informed by the concept of justice, mercy and people’s interests, which are among the basic principles of Shari’ah. The Muslim society is usually governed by the principles of Shari’ah which sieve offensive acts from good ones, good from bad, right from wrong and permissible from prohibited. This could be likened to the core ethical principles of beneficence (do good), non-maleficence (not harm), autonomy (control by the individual), and justice (fairness) stated by Beauchamp and Childress.
Generally, Islamic ethics requires all Muslims to imbibe the best of manners and reminds them that the omnipresent Allah (God) observes all their deeds. Its framers concede that the primary sources of Shari’ah (Qur’an and Sunnah) do not specifically refer to many of the modern healthcare-related ethical dilemmas and therefore, the resort had to be made to the Ijtihad (methodological reasoning) of authenticated religious scholars (Ulama) to find recommendations and religious rulings for such issues. The reasoning is based on evidence which is ranked per its proximity with a clear statement about the issue in the Quran,or derived from the authenticated Sunnah. To reach a reasoned decision, the scholars either make a unanimous agreement (Ijmaa), or majority agreement (Rayoul-Jomhour) or by comparing the issue at stake and similar issue already decided on previously (Qiyas), arguably, a similitude of judicial precedents. Ordinarily, the Shari’ah-based professional ethics are also derived from what is ‘agreed on as good manners’ which may differ in different places if they do not contradict with the Shari’ah. Ethics may also be founded on the results of scientific research, or professional rules. Generally, the professional ethics encourage demonstration of best manners, devotion and worship of Allah (God). Others include truthfulness, honesty, integrity, respect for others and self-accountability, among many others. Additionally, under the Islamic law, the physician-patient relationship is based on the principles of brotherhood that is predicated on respect for life, maintaining the highest standards of justice, exhibiting good intentions, avoiding the prohibited and doubtful things, avoiding matters that are none of his business, unnecessary arguments/frivolities, and greed. Others include loving others and causing no harm, giving sincere advice, doing the enjoined acts and basing decisions and actions on evidence, maintaining restraint, modesty and objectivity, as well as avoiding oppression or transgression against others. To appreciate the law of Saudi Arabia on patient confidentiality, there is a need to resort to the opinions of jurists. For example, the ijtihad of religious-legal scholars or 'ulama, are literally the possessors of knowledge. Patient confidentiality, under the Sharia, is generally based on a couple of Islamic law principles such as avoiding assumptions, spying and backbiting, justifying trusts reposed on us, and respecting the privacy on others. Furthermore, Islam encourages Muslims to protect secrets and accords high value to the protection of confidentiality in the public interest. People with such characteristics have been highly appreciated in the Qur’an: O ye that believe! Betray not the trust of Allah and the Messenger, nor misappropriate knowingly things entrusted to you’’. “Those who are faithfully true to their Amanât (all the duties which Allah has ordained, honesty, moral responsibility and trusts) and to their covenants. Apart from the generic confidentiality principles, Islamic institutions have promulgated a few specific fatwas about medical/research confidentiality and breach of confidentiality. For instance, one of the fatwas addresses the obligation of maintaining medical confidentiality and its exception (where disclosure may be allowed or, indeed, mandatory). According to this fatwa, the disclosure of confidential information is required/ obligatory to prevent harm either to the society or to individuals, and it is allowed (but not required) if such a breach would be beneficial to the individual or the society, or be a means to prevent general harm. Examples of such exceptions include, as a proof in defence of criminal proceedings, or to notify public authorities about a driver’s poor vision or drug/alcohol use at the time an accident occurs, or disclosure to family members if a patient suffers from an infectious disease (e.g., AIDS) if it may cause harm to their family or community.
5.10 Conclusion
The fifth chapter of this study features a review of Saudi laws that protect the right to patient confidentiality. These laws which regulate the HCP-patient relationship from the Shari’ah perspective provide for circumstances under which the right to patient confidentiality may be curtailed. It is clear from the analysis in sections 5.2 to 5.10 above that there are situations where the HCP is required to disclose a patient’s private information. The Law of Healthcare Professions provides the basis for the relationship between the HCP and the patient as far as confidentiality is concerned. The other laws such as the Mental Health Law, the Law of Fertilisation, the Healthcare Insurance Law, the Law regulating employment contracts among others deal with certain aspects of the relationship between the HCP and the patient. It is worthy of note that these laws comply strictly with the provisions of the Shari’ah. The concern, however, is with the fast pace of evolving technology and the need for the law to play catch-up. Considering that law in Saudi Arabia is not determined by a system which involves the exercise of a legislative function by a legislative assembly, there is a need, therefore, to evolve a system for the interpretation of the Shari’ah to cater to modern needs. A good example in the analysis above is the fatwa that allows for IVF treatment among Muslims but restricted to married couples alone. In the next chapter, the discussion centres on Saudi soft norms for patient confidentiality.
Chapter Six Saudi Soft Norms On Patient Confidentiality
6.1 Introduction
In the previous chapter, the laws dealing with patient confidentiality was the focus. It is worthy of note that in the Saudi Arabian jurisdiction, some soft norms could potentially supplement what appears to be the deficiencies in the existing Saudi Arabian hard laws on patient confidentiality. Such soft norms are designed to augment as well as optimise the safeguards for patient confidentiality in the context of the law and practice of patient confidentiality in the country. However, the question begging for answer is this: are the soft norms sufficient enough to cure the gaps left by laws? Several issues regarding the adequacy of the legal safeguards to confidentiality under the existing hard laws have been identified especially in chapter five of this thesis. It has been noted that there is no comprehensive data protection legislation under the Saudi Arabian legal system and that there is a need for the law to evolve to cater to the fast pace of progress made in the use of information technology systems and electronic management systems. For example, the potential risk of disclosure of a patient’s confidential information through the use of social media or electronic management technology. Others include the lack of standard definition of what constitutes a confidential data and the role of data controllers, processors and the patient in making decisions regarding the use, management and control of confidential personal data of the patient. Worthy of note is that none of the laws expressly and specifically provide for a civil right of action for an aggrieved patient in the event of breach their confidentiality. This chapter examines the soft norms available in Saudi Arabia. The aim is to access how they close the gaps identified in chapter five of this study. Just like elsewhere, the Saudi Arabian legal protection for patient confidentiality is also made up of voluntary soft regulations which include policies, accreditation standards, and practice guidance issued by regulatory bodies, for example, the Saudi Commission for Health Specialities, the Ministry of Health (MOH), other accreditation or professional bodies and health institutions. These instruments vary in their degree of formality and binding force and represent an important part of the overall regulation and protection of patient confidentiality in Saudi Arabia. Given the close relationship between the operation of ‘soft norm’ and the role of regulators, these alternative approaches to the protection and promotion of patient confidentiality could potentially supplement the deficiencies discovered so far from the laws.
6.2 Hard Law, Soft Norm or a Hybrid?
Soft norm or non-legislative approaches to policymaking is becoming increasingly common today. Nevertheless, since parties are not formally obliged to do so, the tendency of non-compliance by citizens to the norms is high as they do not bear the force of law. Soft norm refers to some quasi-legal instruments, rules or guidelines of behaviour that are neither strictly binding nor completely lacking legal significance such as non-binding resolutions, declarations and guidelines created by governments and private organisations. Within the context of the healthcare sector, soft norms may include guidelines, policy declarations, or codes of conduct that set standards of conduct couched in the normative moods. Soft norms are usually not directly binding or enforceable in accordance with formal techniques of international law but are capable of exerting a powerful influence over the behaviour of countries, public entities, and private parties to which it applies. Soft norm is not an alternative to the ‘traditional’ law-making, but rather, a complement to it. It is fast becoming a major ‘legalisation form’ of the norm-like activities of private and public-private crossbreed authorities where the new type of informal soft norm has come to be primarily relied on by such authorities owing to its flexible and context-dependent nature. Soft norms are preferred for a variety of reasons. For instance, they are favoured to solve straightforward situations in which the existence of a focal point is enough to generate compliance, or loss avoidance theory, where a non-compliance with a hard law could attract higher sanctions to deter more violations. Furthermore, where the parties are uncertain of which approach is more desirable if it would not be in the state's interest to enter into a legally binding agreement or where the state is anticipating a better deal or advantage in the future and where participation may require too many concessions or technicalities. Soft-law instruments cope better with diversity and provide greater flexibility to cope with uncertainty and allow for adjustments over time. Therefore, soft-norm instruments are easier to negotiate, less costly, and allow parties to be more ambitious and engage in ‘deeper’ cooperation than they would if they had to worry about enforcement. Additionally, within the context of international common laws, soft norms serve as a non-binding gloss put on binding legal rules. For instance, ‘decisions of international tribunals are nonbinding interpretations of binding legal rules.’ Simply, states ‘opt for something more than a complete absence of commitment, but something less than full-blown international law.’ Arguably, parties could easily calibrate many areas of a soft norm to, uniquely, induce voluntary adoption and possibly, compliance. Conversely, hard law refers generally to legal obligations that are legally binding on and enforceable by the parties involved before a court. Generally, hard-law instruments allow parties to commit themselves more credibly to agreements, to avoid the increased cost of reneging due to sanctions. Hard-law instruments have direct legal effects and create mechanisms for the interpretation of the legal commitments and enforcement of commitments through either courts or alternative dispute-settlement bodies. Following from the above, why should soft norms is adopted while there is already a hard law in place? Critics of hard laws have raised several significant issues. For instance, hard law tends to be set of fixed rules, for universal application, presupposes a prior knowledge and is difficult to change. While on the other hand, soft norms allow for flexibility, diversity, experimentation and adjustments and internalization of the hard laws themselves in order to ease in enforcement and to achieve an optimal outcome. Furthermore, Judith Lichtenberg’s statement captures the important role soft norms play in influencing compliance with legal and ethical behaviour: When temptations are significant, when the price of adherence (in terms, for example, of the sacrifice to our interests) is high, when the social consequences of violation (harm to others) are relatively slight, when the costs of violation are low – under such circumstances it is easy to be led from doing what you ought to do . . .” In contrast, hard law, i.e. those legal obligations, found in either laws, treaties or customary international law are binding in and of themselves. In the contemporary situation that needs flexible compliance with and enforcement of the laws to achieve maximum results, the application of a hybrid of soft and hard laws is in order.
6.3 The Influence of Soft Norms on Compliance with Respect for Confidentiality
Under the Saudi Arabian setting, various healthcare institutions, for example, the Ministry of Health, university hospitals, medical cities and private hospitals, have created and applied various data protection policies, protocols and guidelines to enhance and supplement the laws and professional code. Those policies apply to healthcare facilities under such umbrella institutions. An additional tool examined is the internal policies and procedures, and hospital accreditation standards related to disclosure or confidentiality of a patient’s confidential health information. Below are some of the soft norms that deal with patient confidentiality in Saudi Arabia
6.4 Saudi Ministry of Health (MOH) Electronic Health Information System and Data Protection Policy
Policy, a form of the soft norm, is a guiding principle used to set direction in an organisation. Ordinarily, organisations make policies as an add-on to the existing laws to enable them to smoothly run their health institutions. Several governmental and private proprietors of healthcare delivery systems (hospitals and clinics) in Saudi Arabia have since created internal policies and procedures for the protection of patient’s confidential data in their custody. The Ministry of Health (MOH) provides for nearly 60 per cent of the 470 hospitals operating within the Kingdom while the remaining fraction is shared between other governmental (9.36 per cent) and private (32.30 per cent) health care institutions. Given that the MOH regulates the operation of all healthcare institutions and has the largest bulk of hospitals in the Kingdom, the study used the data protection policy of the MOH intending to attempt to generalise its applicability across the board. Furthermore, these policies apply only to MOH hospitals and not on other quasi-governmental hospitals and private health institutions. The evolution of this policy might have been informed by the challenges brought about by advances in information technology, adoption of electronic health information management systems, social media communications, use of cloud computing, among others. The Saudi Arabian Ministry of Health (MOH) has created a new portal for health information exchange for MOH hospitals, which serves as an integrated interface and an electronic gateway for disseminating health information to all services offered by the Ministry. The MOH is the largest proprietor of health institutions in Saudi Arabia and in addition to the responsibility of protecting confidentiality placed on HCPs practising in various healthcare settings in Saudi Arabia under the several substantive laws, the MOH’s data protection policy aims to tackle the challenges posed by the advances in technologies. The question that arises is how much of compliance do the soft norm enforces?
6.4.1 Data Protection under the Saudi Health Information Exchange
Definitions: Private/Personal Data
Saudi Health Information Exchange Policy defines private (personal) health information (PHI) as any identifying information related to a person about his/her physical or mental health or the health services provided. It includes data related to registration, payments or eligibility for health care, testing/examination done, care/services rendered or, an identifiable assigned number, symbol or other particular related to the individual for health purposes. Any information or data identifying an individual as a provider falls into this category. This definition is quite similar to that of “Protected” Health Information (PHI) under the U.S.’ and Health Insurance Portability and Accountability Act (HIPAA). The HIPAA defines a piece of health information as: any information, whether oral or recorded in any form or medium, that is created or received by a healthcare provider or institution relating to any health or condition of an individual, the provision of healthcare to an individual, or payment for the provision of healthcare to an individual. On the other hand, when compared to the definition of personal information under the GDPR 2016, it relates to a natural person recognisable by any identifier that may include name, identification number, location data, and an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Whereas ‘data concerning health’ means: “personal data relating to the past, current or future physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.” The Data Protection Act (UK) also made a definition similar to that of the European GDPR. While the definition under the MOH policy looks very extensive, however, it does not indicate if it relates to information in both paper and electronic form. Furthermore, the GDPR is more explicit about the kind of identifiers that are classified as private information that further include location data, an online identifier or the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. What is required of the Saudi laws, for now, is to update the relevant confidentiality laws to include these missing factors, and/or to integrate these policies to the law so that they may carry some legal weight.
Right of Control by Subject of Data
The protection of the rights and freedoms of natural persons with regard to the processing of personal data requires that appropriate technical and organisational measures be taken to ensure that the requirements of regulations are met.The Saudi MOH data protection policy provides for several patients’ rights related to the collection, processing, storing and management of their data. The rights include accessing their relevant personal health information contained within the Saudi Health Information Exchange through approved services. This is similar to what is obtainable under the GDPR which provides that the data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. Under the MOH policy, patients have the right of information regarding how their personal health information could be used; who could have access to it, and under what circumstances it could be disclosed. Patients also have the right to understand how the network will operate, what information will or will not be available on the network, the value of the network, its privacy and security protections, how to participate in the exchange and the rights, benefits and remedies afforded to them. The GDPR made a similar provision to the effect that when personal data are obtained, provide the patient with details of the controller, data processor, the purpose for the use, the legitimate interests pursued, the recipients or categories of recipients and the period for which the personal data will be stored., Furthermore, patients have the right to receive the information generated by the PHCS from their provider explaining the services and the patient’s rights regarding the use and disclosure of PHI from the systems at the patient’s first visit following the provider’s participation as a Saudi Health Information Exchange PHCS. The patient has the right to opt-out of the Saudi Health Information Exchange just as GDPR gives the data subject the right to withdraw consent at any time. Where personal data are processed for direct marketing, the data subject, under the GDPR, has the right to object to such processing, to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. Where the patient decides to remain, the provider shall take steps to protect the integrity, security, privacy, and confidentiality of a patient’s information transparently. Upon suspicion of a breach, the patient may file a complaint or request an investigation by him/herself or through an authorised agent, directed to the Health Information Management Personnel or HIE designated resources similar to the right to complain about a supervisory authority under the GDPR. The patient may also request for a report of third party disclosures for information accessed through the Saudi Health Information Exchange where the patient is the data subject. The GDPR, in such cases, requires the controller to provide appropriate information to the patient in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
However, unlike under the GDPR, a patient under the Saudi MOH data protection policy has no right to request for deletion or erasure of any data from the Saudi Health Information Exchange, but the data may only be amended or replaced to accommodate corrections. Conversely, under the GDPR’s ‘right to be forgotten’, the patient has the right to request for, and the controller has the obligation to, erase personal data without undue delay under certain circumstances. Such circumstances include where the data are no longer necessary for the purpose, or the patient withdraws consent, or there are no longer the prevailing legitimate grounds for the processing it. The obligation to erase may also arise under the GDPR where the data was unlawfully processed, where it has to be erased for compliance with a legal obligation. Furthermore under the GDPR, where accuracy is contested, or the processing is unlawful (and refused to erasure), or the controller no longer needs but subject needs for legal claims, or the patient has objected to processing pending the verification, he/she has the right to restrict processing of such data. The controller may override the patient’s right to object to the processing of personal data concerning him or her, where the controller can demonstrate compelling legitimate grounds for the processing it. For instance., if doing so, it could affect some legitimate interests, rights or the freedoms of the patient or that of the hospital, or if it is required for exercising of, or for defending some legal claims. Unless this proves impossible or involves disproportionate effort, the controller shall communicate any rectification or erasure of personal data or restriction of the processing. A significant departure of the policy is that the retention time for the Saudi Health Information Exchange managed PHI is indefinite. Under the GDPR, further retention of the data should be lawful where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller. Such retention may be necessitated on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes, statistical purposes, or for the establishment, exercise or defence of legal claims. Other areas where the Saudi MOH policy is not as elaborate as the GDPR is on the right to data portability: i.e., for the data subject to receive the personal data concerning him or her in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance. Similarly, the Saudi policy is silent on automated individual decision-making, including profiling. The GDPR provides that personal data shall not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
Disclosure
The Saudi MOH policy prohibits the disclosure of Personal Health Information (PHI) to third parties except under some exceptional circumstances where an infringement of the right to confidentiality may be justified. The essence of placing PHI available on the Saudi Health Information Exchange is primarily for purposes of treatment, healthcare operations, research/education, and public health. The policy states as follows: Personal health information SHALL NOT be disclosed EXCEPT for: Treatment (including)… clinical care… emergency care …or support of the patient’s care activities within the provider organization. Others include patient’s uses, for the hospital’s operational, health service management and quality assurance purposes. So also, Public Health, Public Health Surveillance, Disease Control, Public safety emergency or Population health management. Compare this to the GDPR under which processing of personal data shall be lawful only if consented to by the patient, pursuant to a contract, for compliance with a legal obligation, or patient’s or others’ vital interests. Other purposes include where it is in the public interest to do so or in the exercise of official authority vested in the controller, or for the legitimate interests pursued (except carried out by public authorities in the performance of their tasks). Although expressed in different nomenclatures, the import of the two provisions is substantially similar. Furthermore, it is noteworthy that under the Saudi Arabian MOH policy, two other categories of PHI disclosures may be justified after fulfilling some conditions precedent. Such processing should be subject to suitable and specific measures to protect the rights and freedoms of natural persons. There, the following purposes of the disclosure are not justifiable without a valid court order: disclosures of PHI for legal investigation, or an enquiry to inform persons or processes responsible for enforcing jurisdictional legislation, or undertaking legal or forensic investigation unless there is a valid court order to do so. Conversely, certain disclosures are not permissible e.g., disclosure based on authorizations not requiring a purpose to be declared, or where the purpose is not known, or purposes for which the other categories in this clause do not apply (unless a purpose as described above is declared). Apart from the foregoing grounds, e.g., treatment, operations and public health, for which disclosure of personal data may be justified, secondary disclosure may be made for other purposes, e.g., for research, upon approval of the appropriate ethics committee of the hospital. The Committee shall determine each situation on a case-by-case basis, based on published approval criteria. In order to ensure transparency and objectivity, the Saudi Health Information Exchange or an approved subcontractor should manage any research data extracts or viewpoints.
Notification of Privacy Breach
The MOH policy also lays down protocols for data breach notification to data subjects, and in some cases, to the public. In the event of any reportable breach of patient’s confidential data, the Exchange is under an obligation to notify the hospital of the breach, for example, unauthorised acquisition, access, use, or disclosure, within 10 business days following the discovery of the breach. Then, the hospital is responsible for notifying any patient whose personal health information (PHI) has been breached within 30 days following the discovery of the breach. Depending on where or at what level the breach occurred, any required public notification is the responsibility of the entity (the hospital or the Saudi Health Information Exchange) under whose custody the breach occurred. Individual and limited breach requires notification to the involved patient(s), however, where the breach affects large numbers of individuals, typically more than five hundred that could involve continuous risk, should be reported publicly as collectively determined by the privacy and security officer, the Saudi Health Information Exchange governing body and law enforcement authorities. Under the Policy, inappropriate use, transmission, copy or disclosure of patient’s data could attract sanction under the appropriate Personnel Sanction Policy.
6.5. Hospitals’ Internal Policies on Privacy and Confidentiality
Various governmental, quasi-governmental and private health institutions have developed what is commonly referred to as Patients’ Bills of Rights that includes the right to confidentiality and made internal policies to ensure compliance with these rights. These rights and the numbers of which vary from hospital to hospital, including the right to keeping the patient’s secrets confidential to the extent protected by the law. Patient’s right to confidentiality includes an entitlement to the discussion of the treatment with the patient or his/her legal guardian confidentially. It also includes physical privacy to the patient’s private parts unless a medically urgent situation arose. The patient also has the right to refuse to see anyone not concerned with providing the health service, including visitors. It also imposes a duty on the healthcare professional to maintain the confidentiality of the patient's information, diagnosis, tests, treatment and medical records except in situations where the patient consent to, or allowed by law. For instance, the King Saud University Medical City, Riyadh has developed the patients’ rights and has demanded its staff to comply with it. Therein, the policy requires the healthcare professionals to restrict the interview of patients to only those involved with the direct care of the patient, and that the patient is empowered to refuse discussion with anyone who is not officially and directly involved in his healthcare procedures including visitors. Furthermore, only healthcare professionals directly involved in the patient’s care shall have access to patients’ files and details of their health condition. Additionally, medical assessment and examination are to be conducted confidentially in designated areas for these purposes. More so, King Faisal Specialist Hospital and Research Center (KFSH&RC), too, has extensively elaborated purposes for which patients’ data may be lawfully used. Those purposes are similar to those stipulated under the Saudi Information Exchange Policies, and include, for treatment purpose, for payments (to the insurance company), for health care operations to maintain and improve patient care, and for organized health care arrangements (to share with other health facilities). Others include, for sending to the patients, mailings about available health-related products and services, medical research and for legal matters. On the other hand, KFSH&RC published the rights of data subjects to include the right to demand an accounting of data processors, to amend incorrect or incomplete data, and to inspect and obtain a copy of completed health records. Other patients’ rights are the right to request restrictions of the uses or disclosures of health information for treatment, payment, or health care operations. The patients, also, have the right to request confidential communications (e.g., contact the patient through secure email). KFSH&RC has gone a step further to draft a non-disclosure agreement that third parties have to commit to when the Research Centre lawfully discloses any personal information in the course or furtherance of any collaborative research activities. From the private sector health institutions, several hospitals have followed suit in developing and ensuring compliance with privacy policies. Johns Hopkins Aramco Healthcare (JHAH) developed a Patient Privacy Policy to provide for the protection of patients’ personal health information, which is defined as “personal information identifiable to the patient that relates to his or her medical condition or history”. JHAH routinely collects such information in the course of a patient’s enrolment, examination, care or treatment in its facilities and network. It may use and/or disclose PHI in accordance with applicable standards of patient care and privacy (then it went further to lists the purposes for which patients’ data may be collected and processed). However, what is conspicuously missing in the privacy policy is, apart from “JHAH respects the privacy of its patients and their “Patient Health Information”; it does not state specific positive responsibilities it has to keep the patients’ information safe and secure. The patient’s rights form part of the hospitals’ internal policies and procedures that workers must comply with, to preserve and protect the confidentiality of their patients’ personal information. A non-compliance with the internal confidentiality policies could attract administrative sanctions, in addition to those applicable under the Saudi Labour Laws. It is apparent from the submissions above that the soft norms also play a significant role in supplementing the laws in protecting the right of patient confidentiality.
6.6 Saudi Hospital Accreditation Standards for Patient Confidentiality
Most of the Saudi hospitals and other healthcare institutions have undergone or are preparing for various mandatory and voluntary accreditations in order to ascribe to the quality standards set up by those accreditation bodies. The scope of these accreditations ranges from a whole institution-wide or of specific service for example, for laboratory, food services etc. Each of these accreditations has developed some certain standards, which the healthcare institutions must comply with, as a pre-requisite for the accreditation. Invariably, these standards dedicate so much on preserving, promoting, and protecting the patient’s privacy and the confidentiality of their personal information in the custody of the healthcare institutions. There are no significant variation in the standards related to privacy and confidentiality in the various accreditation standards, viz, CBAHI, Canadian or JCI accreditation standards. For instance, the Accreditation Canada’s Qmentum standards include the maintenance of the patient’s privacy and confidentiality in medical records (paper-based or electronic), and to conduct a regular audit to ensure protection against potential breaches. The Canadian standards also require hospitals to establish corporate policies, which should be consistent with the local laws and regulations, to support lawful access to information, and handle issues related to privacy and confidentiality. Equally, the standards mandate securing and maintaining the privacy and confidentiality of donors, and to ensure that disclosure is only made to those essential for those involved inappropriate services. Similarly, the JCI standards have made similar mandates for the hospitals to ensure that the patient’s rights to privacy and confidentiality of care and information are respected.In the same vein, as a standard on the management of information, JCI requires that the hospital determine the retention time of records, data, and information, have a system in place to secure and maintain information privacy, confidentiality, and security (including data integrity).It is, however, instructive to note that the Canadian and JCI accreditation is a voluntary venture that MOH, Quasi-governmental, and private hospitals undertake to raise their standards relative to their contemporaries. All hospitals operating in the Kingdom must submit themselves for the mandatory accreditation by the Saudi Arabian Central Board for Accreditation of Healthcare Institutions (CBAHI) whether or not they have already been accredited by these international accreditation bodies. Central Board for Accreditation of Healthcare Institutions (CBAHI), which, in October 2015, transformed from the Makkah Region Quality Program (MRQP), is the agency authorised to grant accreditation certificates to all governmental and primary healthcare facilities operating today in Saudi Arabia. It sets out the healthcare quality and patient safety standards against and evaluates all the healthcare facilities for evidence of their compliance with the set standards. The healthcare facilities include including hospitals, laboratories, blood banks, clinics and other ambulatory healthcare centres. It is mandatory for all the public and private healthcare delivery facilities (hospitals, polyclinics, blood banks and medical laboratories) in Saudi Arabia to comply with the national standards set by CBAHI and obtains its accreditation through a survey process set forth by the Centre. The CBAHI accreditation has now become a pre-requisite for renewal of the operating license for all healthcare institutions in Saudi Arabia.
6.6.1. CBHAI’s Definition of Confidentiality
In order to appreciate the confidentiality standards, set forth by the CBAHI, it is crucial to review the definition of the term confidentiality thereunder. The CBAHI Standards defined the term confidentiality as: The restricted access to data and information to individuals who have a need, a reason, and permission for such access. An individual’s right to personal and informational privacy, including his or her healthcare records. It is instructive to note at this point, that this definition of confidentiality is not consistent with the standard definition of confidentiality as provided for under most of the data protection laws. For instance, it does not identify what specific nature of information makes it “restricted”. Furthermore, it does not define the phrase: “right to personal and informational privacy”, or “restricted access” or, whether it refers to electronic or paper-based information. Although standards referred to privacy and confidentiality severally and separately under different contexts, there is no distinctive definition of the two terms. However, it may be discerned from their usage in the standards that the term privacy is used in reference to access to physical space or physical being of the patient, while confidentiality is used in relation to processing and sharing of personal information or data related to the data subject. Accordingly, CBAHI has made several standards related to the protection of the patients’ privacy and confidentiality rights.
6.6.2 Saudi CBAHI Standards on Patient and Family Rights
It is a standard that hospital leaders support, protect and ensure that patients are aware of their rights and responsibilities. Under the same standards, the hospitals should ensure that the staff respect and maintain the patients’ privacy and confidentiality throughout the continuum of care, including during all interviews, examinations, and treatments. That includes not to, unnecessarily, expose the patients’ private parts during the care process, and mandating a written consent to photograph patients. To ensure compliance with these standards, therefore, the hospital is required to develop and implement a policy that ensures the confidentiality of information related to the patient’s health and how to protect it from loss or misuse. The policy should identify the conditions for the release of confidential data, and on how to obtain patient’s permission if required. Just as noted under the definition of confidentiality, the standards did not clearly state what elements of patient’s information are confidential that a policy shall govern and ensure compliance with. The Standard also requires a policy in place to prevent misuse or loss of confidential information but does not state what standards are required to be established to achieve that.
6.6.3 Saudi CBAHI Standards on Management of Information
Hospital leaders, as well as users and other staff, receive education and training on data management relevant to their roles and responsibilities, including training on, data/information confidentiality and security, among others. Furthermore, the hospital has a policy and procedures that prescribe how to maintain the confidentiality, security, and integrity of data and information including the medical records. Such policy that defines, and provides appropriate levels of protection to data and information confidentiality, security, and integrity shall comply with laws and regulations. The standard further requires a mechanism for ensuring that staff access to different categories of information is restricted on a need-to-know basis and that there is an adequate safeguard in place against the loss, destruction, tampering, damage, and unauthorized access or use of confidential data. There should also be some mechanisms defines staff responsibilities to maintain the confidentiality of data and information e.g., signing a confidentiality agreement, or under a policy. The standard entails reporting of and promptly acting on all incidents of data breaches.
6.6.4 Saudi CBAHI Standards on Medical Records
The hospital maintains a master medical record (either manual or computerized) of all patients that the hospital has treated and/or admitted. The medical record should include the patients’ basic demographic information (identification information) as well as other records of the patient’s activity (visit). The patient demographic information (identification information) includes medical record number, patient’s full name, date of birth, sex, marital status, address, national identification number, next of kin (and his contacts). The patient activity (visit) information includes admission and discharge/transfer dates for inpatient hospitalizations, date of death when a death occurs, encounter date or date of service for outpatient visits, most responsible physician, and mother’s name for new-borns. The Standard requires the hospitals to retain the master patient index permanently to provide historical access to basic patient information and dates of stay in the hospital. A policy should outline how the medical records are stored, protected from loss, theft and deliberate alterations or destruction, and on how to maintain the confidentiality, integrity, and security of the records during storage. In addition, the hospital shall develop and implement a policy that describes the process for the release of medical records for patient care encounters and determines when to (and the mechanism for approval of) release medical records for reasons not related to direct patient care (e.g., research, utilization management, quality improvement, morbidity and mortality, and governmental requests). The hospital has a system for tracking of medical records to identify the location of any record not in the medical records department and its date and time of movement as well as subsequent movements, when applicable.
6.6.5 Saudi CBAHI’s Other Standards on Patient Confidentiality
The CBAHI standards also provided for confidentiality under different areas of the healthcare continuum. For instance, it requires that, prior to donating blood at the blood bank, the donor is fully informed of his/her confidentiality right, and the requirement to report test results to health authorities. In addition, the pharmaceutical care department must have a system for maintaining privacy during the provision of outpatient education and counselling.Lastly but not exhaustively, the operating room should have an ethical code of conduct to protect patient privacy and dignity. It is not within the scope of this study to comment on the quality of these standards, but it would not be out of place to point it out here that, these standards have gone the extra mile in attempts to keep the confidentiality principles consistent with the contemporary demands. While the elaborate standards for data privacy and confidentiality would appear to outdo those available under the laws reviewed, however, all that the standards require are evidence of the existence of compliance in form of policy, guideline, or forms that indicates the fulfilment of elements of the standard stated therein. The standards only require that privacy and confidentiality policy should comply with the existing laws and regulations. In other words, the policies could operate only within the existing, arguably, deficient laws. Moreover, in most cases, the standards mostly focus on the processes rather than the substance of the protection of privacy and confidentiality. For instance, it does not state the quality of the contents of those documents in terms of its consistency with the established principles of legal protection to confidentiality, except for the data retention aspect. In addition, the standards do not specifically require the fulfilment of the patients right to the control of his/her information, or the basic principles of data protection. Furthermore, it does not specifically require for a specific standard of legal protections, exceptions thereto and the safeguards available thereunder. Despite the identified deficiencies, these standards could encourage compliance with the (hard and other soft) laws. As stated earlier on, the CBAHI accreditation audits, corrective action plans and follow-ups, which involve monitoring, peer review, benchmarking, evaluation, and rankings, could play an important role in influencing compliance with those confidentiality standards. Consequently, the hospitals would try to ensure compliance with those standard requirements in order to enhance their chances of obtaining accreditation to maintain their practice licenses as a healthcare institution. The hospitals would enforce compliance, through the creation and enforcement of internal policies and procedures, which the staff would be obliged to comply with in order to continue with their job.
6.7 Conclusion
This chapter identifies that Saudi Arabian law is not sufficient and comprehensive enough to deal with the issue of protection for patient confidentiality. It is noted, however, that there are soft norms that may be referred to fill gaps in the law. To what extent do these soft norms adequately fill those gaps? It is acknowledged that because these soft norms are not laws. They do not attract the kind of sanctions that may be imposed by law to deter HCPs from illegally divulging patient’s personal information; there is any need to review the laws to catch up the pace of development. The Saudi Arabian data protection policies, as exemplified by the Saudi MOH Saudi Health Information Exchange Policies merely attempt to fill the gaps in the laws for the legal protection to patient confidentiality. Examples of the attempts are in the areas of the definition of private (personal) health information and data controllers, the rights of data subjects and breach notifications, among others. The next chapter reviews the challenges posed by technological advancements which affect patients’ personal information and the responsibility of HCPs
Chapter Seven New Challenges To Patient Confidentiality Rights
7.1 Introduction
The revolution in information technology has created challenges for patient confidentiality. It is unclear if these challenges are resultant from the nature and scope of the existing privacy and confidentiality laws or in their applications to the novel technologies. In many cases, the laws in Saudi Arabia lag behind modern developments, including technological advancement, which often gives rise to grey areas when applying the law to novel cases. The law must catch up with technological advancements. The case of Saudi Arabia is unique as the law is divine law. It is a divine law which has been revealed and is not subject to review. Nevertheless, since it is divine it already envisages all advancements that society can achieve. As such, the interpretation of jurists and the application of provisions of the law to meet with extant situations can help to cater to new challenges. These challenges are examined in detail in sections 7.2 to 7.7 of this chapter.
7.2 The Impact of Information Technologies on Patient Confidentiality Rights
The rapid growth of internet technology has made it possible to utilise remote communication in every aspect of life, which strengthen the need for privacy and security in electronic communications... Their use heralds numerous far-reaching benefits for health communication between and among the public, patients, and health professionals. Also, the impact of technology on non-financial outcomes such as patient satisfaction and quality is attracting interest. Information is the lifeblood of modern medicine, while the health information technology (HIT) infrastructure could serve as its circulatory system. Without that system, neither individual physicians nor health care institutions can perform at their best or deliver the highest-quality care. HIT has the potential to improve the health of individuals and the performance of providers, yielding improved quality, cost savings, and greater engagement by patients in their health care. However, they have also changed the way HCPs deal with the patients’ confidential information. As the transition of patient care documentation from paper to an increasingly electronic health information system ensues, a new debate over the privacy of individually identifiable health information has emerged. Ordinarily, the concept of privacy and confidentiality ensures a win-win situation for both the patient and the healthcare professional. HCPs need the patient to divulge all pertinent information necessary for diagnosing and treating the patient, while the patients need to feel confident that they can receive the needed health care without the risk of improper disclosure of their private information. It has been claimed that all categories of healthcare personnel are involved in confidentiality breaches, albeit, committed unintentionally, but significantly, severe and repeated. Therefore, such concerns might potentially result in patients withholding their information and this could lead to negative clinical consequences. Electronic privacy (also known as e-privacy) remains a challenge as highly advanced privacy-invasive technologies continue to emerge and evolve, exposing more private data of the patient than previously envisaged. Increasingly, personal information ends up in a ‘bucket’ of the database that can be used and potentially re-used for all kinds of known and unknown purposes. This poses critical questions on the requirements for gathering, storing, analysing, and ultimately erasing such data. In addition to the electronic health information systems, other information technologies have an impact on healthcare and the patient. These include the advent of Internet communication and the use of social media platforms such as WhatsApp in communication among healthcare team members. These technologies have the potential of inadvertently blurring the interface between work and personal time as well as the professional boundary between the patient and the healthcare professionals. Patients, too, mostly unknowingly, do leave behind a trail of personal information during their online explorations for answers to their health issues. Just like in many other developing countries, Saudi laws are arguably lagging behind the advances in technology, with the potential for giving rise to significant gaps in the adequacy of data protection in Saudi Arabia has witnessed spectacular progress in health care, arguably one of the best among its peers, and is investing heavily in electronic health information system and aiming to build a single electronic health system by 2020. Consequently, the use of electronic medical information system is on the rise in Saudi Arabia. In the same vein, internet activity is becoming so prevalent among the Saudi public and HCPs. For instance, recent statistics have shown that, nearly one-half (47 per cent) of the Saudi population are internet active out of which 82 per cent of these are Facebook users, while the number of Twitter users has risen exponentially. The trend could steadily rise even higher.
Consequently, these advances in information technologies and social media networking seem to be a new challenge to managing patients’ confidential information. Furthermore, recent concerns related to patient confidentiality breach have been increasing as healthcare information management is increasingly becoming more digitized, disseminated and portable without a commensurate knowledge of the root cause of breaches in confidentiality. Although there are no reported cases of data breaches related to healthcare in Saudi Arabia, there were several reports of data breach related to other industries in the Kingdom of Saudi Arabia. These reported data breaches include the hacking of the database of King Saud University, Aramco Company, a Saudi Alyaum Newspaper, Saudi's General Authority of Civil Aviation, and STC Telecommunication Company. This creates a new and complex challenge to even the healthcare organizations and professionals in their bid to establish proper controls and security. Note that a recent study have shown how the introduction of Europe’s General Data Protection Regulation (GDPR) had exposed even the European hospitals’ insufficient protection of patient confidentiality such that, despite the two-year transition period for its application, they found difficulties in adjusting to the GDPR on 26 May 2018.
7.3 Big Data Companies and the Confidentiality of Personal Data
The big data companies like Google, Facebook, and Uber among others use the personal data of users for different public and social purposes including public health surveillance with attendant varying degrees of security risks. The risk to a data breach is probable. For instance, Uber’s CEO Dara Khosrowshahi reported an incident of inappropriate access to user data stored on a third-party cloud-based service in 2017, about a year after the event itself. It involved inappropriate access to the names and driver’s license numbers of about 600,000 drivers in the United States. Similarly, Facebook experienced one of its largest breaches when a British company, Cambridge Analytica allegedly exploited the data of millions of Facebook users to help a candidate during the 2018 US presidential election. Despite their several struggles to convince legislators, the media and users that their privacy matters, some commentators lamented that these giant big data companies only use the phrase ‘privacy’ for their selfish purposes. To them, Facebook uses privacy as a ‘talking point meant to boost confidence in sharing, deter regulators and repair its battered image’ while Google uses it as a functional tool on its ‘on-device data processing to make features faster and more widely accessible’. To illustrate such potential risk in Saudi Arabia, the story surrounding the UK’s experience with mass surveillance through the bulk acquisition of patients’ data is not only relevant but also disturbing. In mid-2015, a public hospital in the UK contracted with an information technology company to develop software using patients’ health information from the hospital’s database. The data package involved patient identifiable information including demographic details, the results of every blood tests recorded at the hospital in the previous five years before the transfer, and the electronic records of patients’ diagnoses, procedures, and treatment courses while at the hospital. Their dilemma was in the choice of the right approach to deploy data-driven innovations to improve patient care and at the same time maintaining public trust in the use and security of their sensitive health information. The Special Rapporteur on Privacy portrayed the risks involved: There is also growing evidence that the information held by states, including that collected through bulk acquisition or ‘mass surveillance’ is increasingly vulnerable to being hacked by hostile governments or organised crime. The risk created by the collection of such data has nowhere been demonstrated to be proportional to the reduction of risk achieved by bulk acquisition. During my visit, I have discussed the data-sharing agreement between Google’s DeepMind artificial intelligence project and the Royal Free London NHS Foundation Trust. The agreement entered into force on 30 September 2015 and allowed DeepMind to obtain and process partial patient records of approximately 1.6 million patients with the purpose of developing new methods of detection, diagnosis, and prevention of acute kidney injury. The sharing of the data started in November 2015.
7.4 Electronic Medical Records/Electronic Health Information Systems and their Impact on Patient Confidentiality
The increasing demand for advanced information technology in the health sector appears to be outpacing the law and regulations governing confidentiality right across all jurisdictions, and Saudi Arabia does not appear to be an exception as of now. The health care settings are embracing the fluidity of the changes happening in the society where they strive to meet the challenges of increased demand for higher quality medical services for less money in an increasingly competitive business environment. Therefore, healthcare providers and research institutions are endlessly searching for solutions that would maximise efficiency at a reduced cost. Most developing countries, like Saudi Arabia, face several challenges associated with maintaining the confidentiality of health-related information, which include the data subjects’ ‘diminished autonomy, language barriers, limited health literacy, and cultural barriers that are resulting from paternalism and social diversity.’ For instance, the Arabic culture gives priority to family values over individual autonomy and encourages conformity to family norms. Although this may have helped in protecting physical and proprietary privacy, data privacy of the data subjects could face significant challenges in such an environment. Trust is difficult to gain and easy to lose. The modern health institutions of developed and developing countries have continued to embrace and adopt the electronic health information systems in an unprecedentedly massive rate. This adoption could pose a similar threat to the patient’s right to confidentiality. In Saudi Arabia, many hospitals have introduced electronic health information systems (also called, e-health) to replace the traditional paper-based medical records and implement electronic systems. Since the use of an electronic health record system is a new experience for many of the health care institutions and professionals that could create a new ethical-legal dilemma about their duty of confidentiality. There has been a noticeable shift in the understanding of health information systems and technologies, which raises concerns about their safe use by health professionals. Understandably, the proliferative use of electronic health information systems for health care delivery presents significant benefits for the patients and the health care providers in terms of enhancing patient autonomy, improved patient treatment outcomes, advances in health research and public health surveillance, etc. However, it also presents new legal challenges including that of privacy and confidentiality of identifiable health information. For instance, Alhammad’s assessment of ‘outpatients’ attitudes and expectations towards electronic personal health records (ePHR) systems in secondary and tertiary hospitals in Riyadh, Saudi Arabia’ buttresses just that. The study noted that three-quarters of the respondents believed that the security and confidentiality of their private health information are important. The author, however, lamented that more research is required to, further explore the ePHR privacy concerns of patients and the key factors in improving the use of ePHRs among specific populations. In part, this raises questions of possible lacunae in the laws, in their implementation and/or enforcement. Because, to develop a law to handle the new challenge, we have to, first, understand how the technology impact on the usual professional relationship with the patient. Despite the varying degree of awareness to their right to privacy, most patients in Saudi Arabia appear to understand that the issue of confidentiality is important but are, nevertheless, in favour of permitting their healthcare providers and some family members to have access to healthcare or research-related data. For instance, Alahmad and others (2016) studied a cross-section of patients for ‘their attitude towards medical and genetic confidentiality in the Saudi research biobank.’ Most respondents agreed to some specifically justifiable disclosures, however, they emphasised the importance of maintaining patient/donor confidentiality. Similarly, other Saudi Arabian studies have shown patients’ qualified acceptance of medical students in their care for confidentiality breach concerns or display preference to a physical examination by a lone physician. Some patients, studied on their attitude towards shared medical appointments, have shown preference to individual appointment approach because of concerns about possible unwarranted disclosure of their confidential information to strangers. The author, therefore, argues that patient confidentiality could be a decisive factor among Saudi Arabian patients in their willingness to, freely disclose pertinent information to their healthcare professionals.
7.5 Social Media Use by Healthcare Providers and its Impact on Patient Confidentiality
Apart from the increasing use of electronic health information systems, the social media that is now becoming part of daily life experience for a majority of people with access to the internet, too pose similar risks of breach of confidentiality. Social media use has become ubiquitous in all facets of the society, including and especially, among HCPs. This might be due to the availability of and easy accessibility to the internet and other information technologies across the globe. Unlike before the proliferation of the internet and social media when people interacted on a face-to-face basis, by mail or telephones, individuals have suddenly found themselves interacting with strangers who might be far across the borders. This development has raised the temptation for internet users to unknowingly or negligently share even their sensitive data with completely unknown, or partially known third parties on the Internet. This sudden emergence of blurred boundaries of relationships has the potential to affect the confidential professional relationship between the HCPs and the patients. Social media are a user-created content and communications tool hosted on a web-based application which may be in a form of networking sites e.g. Facebook or Twitter; media sharing sites e.g., Instagram; or blogs. Their popularity is rapidly rising from 'obscurity to ubiquity' over the recent years. Social media use is prevalent in almost all sectors of human endeavours, be it social, professional, academic, business, or even in the healthcare sector. In the year 2018, 90.98 per cent of the 33.25 million Saudi populations use the Internet, and 75.19 per cent of those use social media. Just like in the other sectors, its use is even accelerating more quickly than envisaged. There increase in the use of social media for, among others, disseminating information among patients and professional colleagues, and recently, a source of data for surveillance and research. In the same vein, the use of social media among healthcare professionals is on the rise reaching about 90% among doctors and much higher among medical students as of 2011. The professional relationship between the patient and HCPs may be under a threat with the advent of the internet, and more specifically, the large-scale use of the social media platforms by individuals in the society, HCPs inclusive. Social media platforms generally enable users to form an online profile, to share personal information, to learn and keep up to date with knowledge, to facilitate virtual attendance at medical conferences, and to measure impact within a field. In addition, in this respect, Facebook offers something unprecedented, i.e., direct real-time access to an individual’s social network and without the need for a tedious network registration by participants. Facebook provides such tools as ‘pages’ and ‘groups’ that allow self-enrolment and sharing of information via groups, and applications (Apps) that provide direct access to all the aforementioned tools. These facilities offered by the social media seem to create a virtual communication environment that could potentially affect how and what we communicate to whom, more especially within the context of the professional relationship between the patient and the health professionals. This is even more so as social media use amongst health care professionals continue to increase. For instance, recent estimates of the use of social media by doctors have escalated dramatically from 41 per cent in 2010 to 90% in 2011, whereas the rates of use are above 90% for medical students. A growing minority of physicians also use social media to communicate directly with patients to augment clinical care, and for professional development through the exchange of knowledge and networking. Furthermore, majority of modern patients, more especially those with chronic conditions are seeking out social media and other online sources to obtain information on health issues, to link up with others with similar conditions, and to participate more actively in decisions affecting their health care. This ubiquitous use of social media by both HCPs and patients in recent years show that these technologies will soon be part of modern medicine. The use of social media through smartphones or computer has become a common outlet where patient’s confidential information could leak because practitioners are most likely to use it for exchanging information about patient care (including sensitive patient information). It is instructive to note that Saudi literature on medical/clinical ethics remains limited in terms of volume and scope. A study by Al Qaryan and others has noted that a significant proportion of medical interns used personal mobiles to keep in contact with team members regarding the patient, while some 16 per cent of participants did not have any security features on their smartphones.Although this study relates to medical interns and final year students, in the absence of similar Saudi study on qualified professionals, its findings could serve as a tip of an iceberg in this respect. A similar study among dentists in Saudi Arabia shows that more than half of the respondents admitted using social media in their practice merely for “marketing of their dental practice and broadcasting treatment outcome”.
This discussion takes into consideration the context of the larger society in which the social media is considered as a useful tool for sharing personal information with friends and family members in the social circle, which health providers may find them involved with just like any other member of the society. The public, the patient as well as healthcare professionals use it frequently because of its distinctive features e.g., encouraging greater interactions with others, it is free, available, shared, and personalized information; and it is readily accessible with wider coverage. It can also be used to provide peer/social/emotional support or, to support public health surveillance, and therefore, has the potential to influence health policy. Conversely, Cooper’s Professional Boundaries and the Law reviewed the main aspects of UK legislation related to professional boundaries in social works profession and advised social workers to be acquainted with the relevant laws and official guidance relating to their line of work as ignorance or lack of training is no excuse. Collingwood made an extensive exploration for the adequacy of available privacy protection in the light of the challenges raised by online communicating between individuals under the English legal system. In addition, McLean and Mason had delved into the ethical and legal aspects of confidentiality and disclosures relating to health care. Their study, which was based on the UK legal system, would be remembered for the notable conclusion that medical confidentiality has a ‘nugatory value,’ because of the difficulties of successfully litigating against a healthcare provider based purely on breach of confidence. However, the litigation procedures for privacy issues are different under the Saudi laws, which hold healthcare professionals criminally liable for unlawful disclosure of a patient’s confidential information to third parties. Smith aimed to ‘understand student nurses’ ethical and unethical behaviour and boundaries, and to learn how the faculty could promote ethical conduct in nursing students.’ She explored the correlations between the differences in student nurses’ unethical behaviour by age and clinical cohort and the utilization of social media. Although her study was about social media use by a healthcare provider (nurses), it was by no means a legal study but a search for the educational needs of prospective nurses. On the other hand, Azizi discussed the issues surrounding online social networking, and the implications of the use of these sites by healthcare professionals, with the conclusion that social networking embraces both benefits and risks. Likewise, Griew et al attempted to conceptualise a categorisation of healthcare providers according to ‘who should know’ (healthcare providers like doctors, nurses etc.) and ‘who can be allowed to know’ (clerical staff etc.) for mapping out a data security strategy on electronic health information system. Their study was generally about protecting electronic patient record. From the other jurisdictions as well, numerous similar studies have been conducted on social media use and or on patient’s privacy/confidentiality but with different focuses. For instance, a New Zealand study examined the nature and extent of the use of Facebook by young medical graduates, and their utilisation of privacy options. Their survey of recent graduates of medical colleges found that 63% of medical school graduates had a Facebook account, and in nearly half of that, their account privacy settings are public. Similarly, one of the numerous US studies on the use of social media by healthcare providers explored the prevalence of, and the extent to which they use, social media in clinical practice, and their decision-making process when dealing with information accessed on social media. The study illuminated on the demeanour of medical professionals on social media, in particular, whether they do search for patient’s profile on social media, and how they respond to adolescent profile information on social media. Another US study that is worth mentioning here is one done by Ventola. The study explored the nature of social media, social media use by healthcare professionals and social media for healthcare professionals and warned on the potential risks to patients and healthcare professionals that include breaches of patient privacy and violation of personal/professional boundaries.
The social media, whether used by individual HCPs, by healthcare institutions or by the patients have a lot to offer in terms of creating a new approach to networking, seeking and sharing information about health needs, or communicating with others. It has created opportunities for communications between healthcare professionals and institutions on the one part, and the patients on the other, as well as communication among patient populations. However, the hitherto clear confidential relationship and boundary become blurred with the result that, individually identifiable health information may be disclosed to third parties.
7.5.1 The Benefits of Social Media in Healthcare Communication
There is no doubt that the social media heralds numerous all-encompassing benefits for health communication between and among the public, patients and HCPs. Social media users can control the dynamics of the interaction and therefore, can increase the frequency and number of interactions. Therefore, social media and blog sites provide for a more readily available, shared and customised health information to deal with health issues, with a potential to improving health outcomes. Just like most other jurisdictions, social media use among Saudi Arabian citizens and residents is high. Social media has largely affected the practice of medicine (and other health care professions), perhaps most publicly by facilitating improved communication with and among patients. One of the main benefits of social media for health care communication is the availability and broadening access to health information to all, irrespective of gender, age, socio-economic status, race, or geographic locality, as compared to conventional communication approaches. Social media also can provide for easier and wider access than in the traditional methods where some people, such as the youth and those in the lower socioeconomic groups would not have easy access to health information. Facebook offers something unprecedented, i.e., direct access to someone’s social network, without the necessity of enrolment by participants. In addition, health-related social media sites have changed traditional patient-physician relationships. Even among Saudi Arabian patients, social media use for health communication is on the rise. A study of Saudi Arabian patients indicates that patients feel comfortable to access social media to take care of their health. Social media provide an accessible platform for discussing sensitive and complex issues/information with health professionals. In some social networking sites, patients form groups, share experiences and assist each other. Social media provides the health care professionals with the wherewithal to share professional information, to debate health care issues related to policies and/or practices, and post beneficial comments to both the patients and colleagues. Health care professionals can also use social media to potentially improve patient’s health outcomes, develop a professional network, keep up to date with news and discoveries, motivate patients on their illnesses and treatment options, as well as provide a piece of reliable health information to the community. For instance, the Google Hangout platform provides a forum where the health care provider can communicate or interact with his or her patients. They can also use it to follow up on their patients’ conditions and to proffer appropriate measures before complications set in. A study of a group of Saudi Arabian resident doctors in 2018 has shown that a significant number of them (28 per cent) have affirmed that they do access medical information of their patients through the social media, in addition to the conventional sources. The era of communicating disease information through leaflets and pamphlets is running into extinction giving in to the easy, available and low-cost use of social media fora. Therefore, many health care professionals and institutions take advantage of these benefits that become available by merely joining the social media platform. An example of such experience is the one shared by the European Association of Urologists where the association used the social media to keep its members updated with urologic literature and news, follow live reportage of academic conferences, participate in the discourse on a barrage of ideas, and network with colleagues from around the world. In short, social media can, for instance, help urologists to access, contextualize, and engage with academic medical content.
Conversely, health care institutions are increasingly getting involved in social media both, as a marketing avenue and a platform for providing information about their available services. Similarly, another Saudi Arabian study has affirmed that patients, healthcare workers and health institutions use social media networks for health education and to disseminate useful health information, especially during epidemics of infectious diseases, e.g., the 2009 H1N1 (and recently the Middle East Respiratory Corona Virus) epidemics, potentially for communicating Ebola Virus information, and even during natural disasters.The Saudi Ministry of Health, too, has a unified social media account to communicate with the public. The social media not only supports healthcare processes through gathering and sharing information among communities and groups but, in this way, it also supports patient empowerment by getting patients into the position to take control of their healthcare needs. The communities of networking and data-sharing platforms encourage and support sharing experiences about their sickness conditions, and treatment options/outcomes, as well as enable members to track personal health and be actively involved in their care. Another health communication use of social media is in the field of public health surveillance. Social media are recently being seen as a source of data for surveillance and research by providing an opportunity for real-time and at relatively low-cost communication tool to track public concerns or capture discourses being undertaken outside of the traditional media channels. These may include monitoring public response to health issues, tracking and monitoring disease outbreak, identifying target areas for intervention efforts, and for disseminating pertinent health information to targeted communities. Moreover, social media is also used to recruit patients for clinical trials based on social media profiles or the mining of such data for epidemiological studies or to crowdsource answers to individual clinical questions, e.g., use of posted tweets data to detect and monitor disease activity such cholera outbreaks. While social media are primarily used for social interactions and keeping in touch with friends and family, we have realised from the foregoing that they are increasingly being used for health-related purposes. Both patients and healthcare professionals use social media for different purposes. The patient, for increasing knowledge and exchanging advice, and the healthcare professional, ‘for communication with their colleagues and marketing reasons,’ but the patients have raised concern about privacy issues and unreliability of the information, so obtained therefrom. Social media can also contribute to medicine by improving communication with patients, enhancing professional development, and contributing to public health research and service, thereby enhancing better outcomes. Therefore, Social media is revolutionizing healthcare delivery, and its benefits overcome its drawbacks, however, the discourse on the dangers of social media use for health care has overshadowed the consideration of its potential benefits. Therefore, the main challenge that healthcare professionals in Saudi Arabia, as in elsewhere, face on social media is how to keep appropriate professional relationships boundaries safe when interacting with patients online and, how to ensure the maintenance of patient privacy/confidentiality. Therefore, the health care professionals’ online behaviour and content of their posts can adversely affect their professional reputation, which may ultimately have far-reaching consequences on their careers as well. Unsurprisingly, the UK’s General Medical Council advises doctors to “make sure that (their) conduct at all times justifies their patients' trust in them and the public's trust in the profession."Similarly, under the Saudi Arabian Code of Ethics for Healthcare Professionals, the knowledge of the health practitioner about the patient’s secrets does not entitle him/her to disclose them or talking about them in a way that would lead to their disclosure, except as otherwise lawfully justifiable. However, such lawful justification must pass the triple test of legality, legitimate aim and proportionality.
7.5.2 The Limitations and Dangers of Social Media for Healthcare Communication
There is no doubt from the above elaborations of the benefits of social media in health care that social media use in health care is a welcome idea. However, it has its limitations and dangers. The quality of information derived from the data of social media interactions is usually variable and inconsistent, as social media tools are largely an informal and unregulated tool used for data collection, sharing, and dissemination. Both the patients (and the public at large) as well as, the health care professionals may encounter certain barriers to the use of social media. For the patients and other users of social media, their main concern is the risk of privacy infringement and the unreliability of the information obtained therein, whereas the professionals’ main barriers were inefficiency and lack of skills. However, by their nature, medical practice and social media use are contradictory. Medicine, by its nature, involves private communications, privacy, confidentiality, and formal conduct, whereas social media entails values sharing and openness, connection and transparency, and informality. Therefore, any attempt to converge the two could create some concern in the medical field. Hence, social media fora, like Facebook, Twitter, WhatsApp as well as the ubiquitous search engines like Google, are raising an unprecedented level of medical-legal/ethical dilemmas as doctors (and, by extension and implications, other health care professionals) around the world struggle to responsibly incorporate these new technologies into their professional lives. Undoubtedly, these concerns might have stemmed from the issues of privacy/confidentiality, consent, professional/public/private boundaries, and other ethical issues of consequence to health professionals. Curiously, because of such concerns from the majority of social media users, including health care professionals, the social media sites have swiftly developed some more robust privacy controls to enable users to have greater control over their privacies on the platform. In addition, emerging evidence abound showing that medical professionals have discovered a new means of safely and productively navigating through social media for use in health care. These moves could illustrate that social media has been accepted as a tool to complement modern medical practice as it could provide unprecedented opportunities for cost-effective 2-way communication between health professionals and patients. Despite the currently available privacy safeguards, and the ability of users to navigate safely, there still exist the potential risks of blurring the boundaries to professional confidential relationships. This could be due to the tendency that healthcare professionals and institutions disproportionately process the patient’s data beyond the legitimate aim for the data collection. Therefore, all users of social media should also be cautious of the inherent risks associated with the unaccredited nature of the information. Moreover, social media use also has the potential to create dual (professional versus private) relationships between health care professionals and patients, or blur the boundaries of the patient/professional relationship. The potential risk associated with breaching patient confidentiality or posting unprofessional content can be brought about by the ‘immediate and extensive visibility of online postings, and their permanence on the sites.’ In other climes, for instance, severe data losses in England were reported to the Department of Health in the year 2012, mostly involving the loss or theft of data, while almost one-third were related to unauthorised disclosures.Another report released to Guardian Healthcare showed that 16 trusts had brought 72 separate actions against their staff for inappropriately using social media at various times between 2008 and October 2011. The ‘inappropriate use” further includes inappropriate conversations/comments on/about patient/patient-care or, posting pictures of the workplace on the social media platform. More often, social media users are, often, unaware of the risks of wrongful disclosure of personal information online, or of sharing harmful or incorrect advice on social media. Just like the other members of the public, it is clear that some clinicians also make use of social media in their professional lives, but respect for privacy remains a matter of concern for everyone. In Saudi Arabia as well, the patient’s privacy is among the top dilemmas for public and private healthcare practitioners.
The main challenge that health care professionals face on social media is how to keep professional and appropriate boundaries safe when interacting with patients online and, how to ensure that patient privacy and confidentiality are maintained. Therefore, the health care professionals’ online behaviour and content of their posts can adversely affect their professional reputation that may ultimately have far-reaching consequences on their careers as well. Unfortunately, the hospital organisation is incapable of controlling the professionals’ conversations on social media. At best, the hospital and professional bodies may develop a robust policy or guideline holding the professionals to be responsible for their online behaviour. Unsurprisingly, the Saudi ethical code that prohibits the healthcare practitioner from abusing the patient’s trust and rights just like the UK’s General Medical Council advice that doctors should ‘make sure that (their) conduct at all times justifies (their) patients' trust in (them) and the public's trust in the profession’. Accordingly, under the Saudi Arabian laws, although there is no explicit legislation that specifically regulates the online behaviour of HCPs, the Cyber-crime law prohibits defamation and infliction of damage upon others using various information technology devices. Such an offence could attract imprisonment for a period not exceeding one year and a fine not exceeding five hundred thousand riyals or to either punishment. In other words, if healthcare professional posts the patient’s pictures or otherwise defame a patient using social media, for example, he/she may be subjected to the same punishment under this law.
7.6 The Impact of e-Health Technologies on Patients’ Confidentiality Right
Another evolving new technology that is used for collecting and managing patients’ health information is the e-health concept. E-health is a rather new healthcare practice supported by information technology that evolved within the preceding decade. This concept, which is referred to as e-health for any kind on-line or off-line computer-based application or electronic device, or m-health for any (mobile) monitoring system that healthcare professionals use in the healthcare practice to monitor or improve the patient’s health status . Other similar concepts with like impact on patient confidentiality include ePrescribing (access to prescribing options, printing prescriptions to patients and sometimes electronic transmission of prescriptions from doctors to pharmacists), telemedicine (physical and psychological diagnosis and treatments at a distance, including tele-monitoring of patients’ functions), wearable, fitness trackers, among others still evolving. E-Health or similar applications offer healthcare professionals access to medical knowledge and patient data at the point of care but studies have emphasized that they could be potentially dangerous . However, these advantages of e-health are not without some corresponding disadvantages. There several concerns related to treatment credibility, user privacy and confidentiality. These new applications might potentially empower patients to get healthier or possibly enhance clinicians to become more effective and efficient. Physicians now have new ways to conduct professional communication, have easier access to decision support and expedited, efficient specialist consultation. The modern internet-enabled smartphones with health technologies are easy to use and portable, but they are easy prey for hackers. This is because a smartphone is like a micro-computer that has a microphone, a camera, a GPS and an antenna to connect from, and share all your information including telephone numbers, address, emails, photos, contacts and, bank accounts and credit cards to anywhere. Therefore, a smartphone could be a dangerous treasure of our delicate information that arguably becomes part of our life, but a very high risk. The potential risks to recording, storing and sharing patient information or images on such devices may further intensify if electronic mobile devices are hacked, lost or stolen. Mobile security risks are high because eHealth tools give hackers ‘easier direct access to more valuable organizational assets than any other intrusion point.’ The reports of data protection violations seem to outweigh the magnitude of real damage to health caused by health apps. The e-health technologies, no doubt, offer the patients and doctors, to remotely interact and communicate to diagnose and manage the patient’s ailments without the necessity for a face-to-face encounter. However, the use of these tools along with cloud services allows for the collection and processing of huge amount of health information, which may ultimately come to the possession of third parties without the knowledge and consent of the data subjects. Instructively, the Saudi Telemedicine Regulations only requires compliance with the health information exchange policy (SeHE), including ‘all relevant data security and privacy requirements, and be compliant with interoperability frameworks and/or HIPAA’. However, the regulation does not explain what these ‘relevant data securities and privacy requirements’ are, nor define what HIPAA signifies in its table of acronyms. It is this thesis’ assumption that the HIPAA is referring to the US’ Health information portability and accountability Act of 1996 that provides data privacy and security provisions for safeguarding medical information. Apart from the e-Health tools discussed supra, there are several technologies in the hospitals, malls, public places and the street that collect, analyse and store our data daily. Consequently, by merely walking out of your home to work or school, multiple cameras prowling around would have tracked your movement such that it would not be difficult to reconstruct your tracks with great precision, although you not known about it, not given consent to it. More often, you find signpost in public places alerting people of the presence of CCTV camera, whereupon, the only option open for non-consent is to avoid going to such places. However, that would only potentially mean that one could only avoid these cameras in modern cities by staying indoors at home without going out to work. This would not only be impracticable, but it could also have a serious ramification on society as a whole. Therefore, it could be argued that, these serious privacy concerns create new challenges to privacy laws. As a result, it is appropriate to assess whether there exist adequate legal protection and safeguards to information privacy and confidentiality under the current laws, or whether there are substantial gaps in the legal regime that need to be filled by new laws or regulations. The key successful data protection related to e-Health would seem to the consistent implementation of the existing laws along with obtaining valid informed consent freely given, to enable data users to take their own decision with regards to the sharing of their data.
7.7 Cloud Computing and its impact on Privacy and Confidentiality
Information Technology plays a strong role in the health and patient care arenas with cloud computing slowly beginning to make its mark. When using the cloud for e-health, security and privacy issues are most important, which should be addressed before cloud computing could be adopted successfully by all quarters. Consequently, stakeholders of the healthcare sector are concerned about privacy, thereby triggering the need to seek for proper measures to protect it. However, current cloud services usually expose these data on a machine owned and operated by a third-party organization, in an unencrypted form. The result of a study with a question on whether privacy is an important issue in cloud computing, where 55 per cent respondents in a study agreed that privacy is an important issue in health sectors, 25 per cent of them said no and rest (10 per cent) did not answer. Privacy ranks at the top of the list of reasons for the slow adoption rate of cloud computing. Eighty-five per cent of the respondents agreed that the information transfer from one hospital to another threatens patients’ privacy while 5 per cent said no and the rest (10 per cent) did not respond. On the safety of data, half of the respondents agreed that patient health records are not safe in cloud computing in health sectors. In early 2018 (following a public consultation process held during 2016), the Saudi Communications and Information Technology Commission (CITC) issued the Cloud Computing Regulatory Framework (CCRF). The CCRF entered into force 30 days from its publication on 6 February 2018 (corresponding to 20 Jumada Al-Awwal 1439 H), and thus came into effect on 8 March 2018. The CITC aims to stimulate investment, localize cloud computing services in the Kingdom, and issue guidelines on its use for all segments of users, whether individuals, government sector and private sector.The CCRF applies to the ownership, operation, or offering of access to datacentres or cloud systems in Saudi Arabia where a Cloud Service Provider (CSP) is processing or storing customer content within the Kingdom. The CCRF requirements apply regardless of whether the CSP captured by the regime was the same entity that concluded the cloud contract with the Cloud Customer(s) in question. The CCRF provides that ‘Customer Content can be subject to any of the four different levels of information security, depending on the required level of preservation of the Customer Content's confidentiality, integrity, and availability.’ The first three levels apply to data of private customers, with non-sensitive customer data in level 1, sensitive customer data in level 2, and data from private sector industries, subject to any sector-specific rules or decision by the regulator, is on level 3. Any Customer Content from private sector-regulated industries is subject to a level categorisation by virtue of sector-specific rules or a decision by a regulatory authority. Cloud users are responsible for categorizing the levels, otherwise, the general assumptions under Article 3.3.4 apply, i.e., private individuals domiciled in the Kingdom, and others not otherwise categorised (Level 1); private corporate entities registered in or with local address in the Kingdom (Level 2) and government agencies (Level 3). Accordingly, the Framework prohibits cloud service providers from processing any Level 1 or Level 2 customer content without obtaining the customers’ prior explicit consent via an ‘opt-in’ or ‘opt-out’ mechanism. Furthermore, the Framework mandates the cloud service providers to only inform their customers in advance whether their customer content will be permanently or temporarily transferred, stored, or processed outside of Saudi Arabia. The Framework obliges CSPs to inform customers of a security breach immediately. Under the Framework, ‘User Data’ shall mean: Any data relating to an identified physical person who is a Cloud User or to such a Cloud User that can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors which allow that person to be identified. The Framework further requires CSPs to report security breaches or information leakage that those CSPs become aware of, insofar as such breach or leakage affects or is likely to affect those cloud users’ cloud content, user data or any cloud services they receive from that CSP. In addition, under Article 3.3.11 of the CCFR, customers have the right to access, verify, modify or delete their data.
Although the Framework looks lofty and promising, the standard data-protection principles (e.g., purpose limitation, transparency, data collection limitation, consent etc.), and rights of data subjects (e.g., right to objection to processing, compensation for damages etc.) have not been adequately addressed therein. It is unclear, what remedies lay to the aggrieved cloud user upon being informed by the CSP of the breach of his data. Furthermore, the CCRF does not specify the quantum of penalties, but that any violation of its provisions shall incur such penalties as "the [CITC] may impose under the statutes". The statutes include the Anti-Cyber Crime Law and the Electronic Transactions Law, and any laws or provisions that may amend or replace them in the future.
7.8. Summary of Current Challenges to Patient Confidentiality
Although a wide range of Shari’ah inspired laws and regulations protect information privacy under Saudi laws, the current system suffers from several significant flaws. For instance, because the laws have tended to develop in an irregular and largely sporadic fashion, there are substantial gaps in the information privacy protections offered to individual citizens. This is because legal reform in this area is typically reactive, with the law responding to rapid and often unexpected changes in the technological landscape of privacy, surveillance, and data sharing. Equally, although concerns about the widespread use of information technology has increased in recent years, public area surveillance remains relatively unregulated when compared to other, similarly intrusive forms of state surveillance and information gathering. Furthermore, the rules and regulations that govern information privacy and the use of personal information are not based on any single rationale or set of stated principles. The absence of clearly defined, overarching principles means that each piece of legislation, a line of judicial decision, or a code of practice has to be understood and interpreted within its specific context. This can make the task of determining what rules apply to any given form of data collection or processing, complex and time-consuming and increases the likelihood that individuals will have their privacy breached or abused by unlawful disclosure to unknown third parties. Therefore, it could be argued that these serious privacy concerns create new challenges to privacy. As a result, it is pertinent to assess whether information privacy is being adequately protected, or whether there are substantial gaps in the legal regime that need to be filled by new laws or regulations. Other necessary steps to reduce this risk could include strengthening the regulatory safeguards for protecting the privacy and personal data from abuse and misuse. In respect of the Saudi Arabian settings, the assessment by triple test has shown that, such safeguards, defective and inadequate. Before the chapter delves into the instances of the challenges to patient confidentiality, let us address the questions raised related to the triple test.
7.8.1 Technological Challenges to Compliance with Patient Confidentiality
In addition to the dangers attributable to the use of social media for healthcare communication, another factor that could affect the patient’s confidentiality rights is the unprecedented rate of establishment of electronic health information systems by healthcare institutions in Saudi Arabia. Many hospitals have introduced electronic health information systems (also called, E-health) to replace the traditional paper-based medical records and implement electronic systems. Since the use of an electronic health record system is a new experience for many of the health care professionals in Saudi Arabia, this could create a new ethical-legal dilemma about their duty of confidentiality. Therefore, given to the special professional relationship of confidence which traditionally bonds the healthcare practitioner with the patient, the use of these technologies by the healthcare professionals portends a new risk of breach of that duty of confidentiality. Although the patient’s right to demand confidentiality of his information is not absolute, an unlawful breach could result in a crime, an actionable tort, or become a subject of disciplinary action. This risk is further exacerbated by the ubiquitous nature of those technologies all over the world. The world continues to embrace them even more on every evolving day. It would seem proper to contextualise the challenge in the Saudi Arabian jurisdiction. For instance, in Saudi Arabia, as part of its popularly coined Vision 2030, the Kingdom has an ambitious technological growth plan in the healthcare sector to ensure a smooth integration of medical records among their health care institutions. The plan includes the integration of electronic health information records of the primary healthcare clinics with that of the specialist tertiary health institutions to enable healthcare professionals to, securely and seamlessly, share patient data as they deal with millions of patients annually. In view of the increasing and rapid demand for healthcare services, and a blossoming information communication technology (ICT) community, this ambitious government’s plan could help it to achieve its vision of becoming a regional (and possibly, global) leader in information technology (IT) healthcare systems development and adoption. Several indicators seem to suggest that the Saudi healthcare industry could maintain the momentum of its rapid growth, at least, in the near future. The most prominent indicator of this direction is the growing desire among the current population to improve their wellbeing. In addition to the immensely growing Saudi healthcare workforce, the Kingdom of Saudi Arabia has been welcoming hundreds of thousands of healthcare practitioners from all over the globe.This could have a significant implication on the clinicians’ perceptions related to patient confidentiality given the diversity of their training and practice backgrounds. Privacy issues have almost always delayed the adoption of such systems like cloud computing in Saudi Arabia. Some of the major barriers to adopting electronic information systems are the lack of practical knowledge among users, and weak laws dealing with privacy. Many countries, including Saudi Arabia, until now, do not yet have a comprehensive data protection law though they have devised strategic plans for privacy protection.Moreover, integration or interlace of electronic health records between entities or among clusters of hospitals could present a huge challenge and a serious concern related to unauthorized access, security violation, and difficulties in securing a safe and seamless transfer from one hospital to another. Consequently, the increasing electronic health information systems would require a suitable legal and ethical environment that safeguards data privacy, security and confidentiality. In particular, there must be respect, and taking responsibility, for fundamental human rights and, especially, the right to privacy and confidentiality of sensitive patient’s data by the healthcare professionals and health institutions.
In view of the arguably universal nature of medical practices and human right to privacy/confidentiality, this chapter undertakes a general review of the benefits and dangers of embracing the new information technologies and its impact on the confidentiality of sensitive health data. The focal point is the impact of these information technologies on the confidentiality of patients’ data, and the possible gap, if any, between technology and the law, has been adequately bridged. It also explores, based on the triple test, the adequacy of the legal safeguard of patient confidentiality because of the new challenges brought about by the use of information technologies. On the other hand, it also attempts to proffer practical ways of ensuring that, despite the technologies; practitioners could maintain their solemn duty of securing and maintaining the confidentiality of the patients’ sensitive health information.
7.8.2 Legal Procedural (Litigation) Challenges to Patient Confidentiality
Despite the efforts of Saudi Arabia in standardising medical malpractice litigation, it has not been as effective. As discussed earlier on, the Law of Practicing Health Professions (and other health-related sectorial laws) is the substantive law that defines duties of healthcare professionals and their various liabilities for their failures to abide by the law. The Law of Practising Healthcare Professions empowers the Minister of Health to establish some quasi-judicial/medical bodies, its membership, quorum and jurisdictions and provides for the machinery and process of litigations for medical negligence. The administrative regulations made according to these laws provide details of the procedures for adjudicating the cases arising thereunder. There are three distinct panels involved: The Sharia Medical Panel (SMP), the Medical Violation Committee (MVC) and the Primary Investigation Committee (PIC).These Committees apply equally to private healthcare institutions as well. The SMP’s jurisdictions include considering claims of professional malpractice where personal right is claimed, or which results in death or loss of organ or function based on Islamic shariah even where no private right is claimed. The MVC has a similar jurisdiction except that it does not deal with cases that result in death or loss of organ or function, and it only applies to violations involving the MOH and private medical institutes to the extent that the SMP may not have to try the same case again. In both cases, the applicable law is the Islamic shariah, its quorum shall be full members in attendance, while its resolution is by the simple majority provided that the judge is among the majority. The judge then issues the verdict based on the members’ opinion, and sentence based on Shari’ah. Appeal from their resolution shall lie in the Board of Grievances within 60 days, provided that, in the case of the MVC’s decision where the suit involves loss of organ or function or death, it would refer the case to the SMP.On the other hand, the Law empowers the directorates of health affairs, director of health services or deans of medical colleges to create a Primary Investigation Committee (PIC) with the responsibility of conducting an interview of the parties, perusing the medical records and establishing the existence of an error. It has to distinguish between ‘medical mistakes and complications’ and side effects of medical treatments, and then sends its report to the appointing authority. Consequently, under the Saudi legal system, the litigation procedures involve only these quasi-medical/legal panels/committees, and not the conventional courts, at least at the first instance. Usually, the patient or his/her relative makes a formal complaint of medical negligence to either the facility’s administration, ministry of health or the city administration. The procedure may well begin with a preliminary investigation carried out by the administration department of the facility involved. Where such is the case, the director of the hospital shall cause to preserve all medical records, laboratory samples and results for possible conveyance to the Shariah Medical Panel when it is eventually referred to. Once the case has been properly referred to the SMP, the panel shall prohibit the defendant from leaving the country to guarantee his attendance. Both parties are then notified of the date and venue of the sitting, which shall be in a facility of the ministry of health. Pleadings are heard and recorded in the Arabic language. Parties can bring the translator that they trust, or may have to do with a translation by one of the panel members.Where any of the parties or their attorneys fails to appear despite proper notice being served, the Shari’ah Medical Panel may adjourn for another hearing after 30 days. In the event that the plaintiff fails to appear, the defendant shall be discharged of the personal right claim, but the Shari’ah Medical Panel may decide to proceed with the common right aspect (the criminal aspect) if any. The file will then be returned to the facility that referred the case, and any travel ban may be lifted. Conversely, if it is the defendant defaults in appearance, the Shari’ah Medical Panel may proceed with its verdict, which, for all intent and purpose, shall be deemed valid. All verdicts and results of the SMP and MVC resolution shall be communicated in writing to all parties of the suit. Any dis-satisfied party may appeal within 60 days to the Board of Grievances, provided that the appellant shall submit his objection to the Minister of Health within 30 days for onward dispatch to the Board of Grievances. Where the suit does not involve a personal right, or that the personal right was dropped for non-appearance of the plaintiff, or in addition to the private right, any common right aspect shall be prosecuted by an appointee of the minister of health. Where the defendant is found to only be partly responsible for the malpractice, then, he would only be accountable for that portion of responsibility. The Panel/Committee may as well encourage settlement between the parties, or decide that a sort of ‘no case submission’ and close the case. In all cases, a claim in medical negligence must be brought under the Law within one year of the knowledge of the negligence to avoid its becoming statute-barred. Furthermore, the Appellate Court shall dispose of the subject matter of the appeal based on the evidence enclosed in the case file, and litigants shall not appear before the court unless it decides otherwise. Neither the laws nor their implementing regulations have stated the grounds under which the court may decide otherwise. Interestingly, the appeal session considers only the process and the verdict, not the professional standard aspect of the decision.
7.9. Standard Data Protection Principles to address the new Challenges
The previously proposed, but not approved E-Privacy law of Saudi Arabia would have already provided suitable data protection that is consistent with the international data protection principles. The proposed draft included all the data principles being discussed infra as contained in the Madrid Resolution and would have been consistent with the new GDPR. These data protection principles are necessary steps to reduce the data breach risk by strengthening the regulatory safeguards for protecting the privacy and personal data from abuse and misuse. This could be achievable by adopting a regulatory framework that incorporates the standard data protection principles and rights of the data subjects. Those data protection principles include that of lawfulness, fairness, and transparency’ which requires that personal data should be processed lawfully, fairly and in a transparent manner in relation to the data subject. In addition, the data should be primarily collected for specified, explicit and legitimate purposes (purpose specification principle) and not to, further, process it in a manner that is incompatible with those purposes (purpose limitation principle). Furthermore, the data collected should be accurate and, where necessary, be kept up to date adequate (‘accuracy’), and it should be relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’). Unless as otherwise provided by law, the personal data collected and stored in the custody of the data controller should be kept for no longer than is necessary for the purposes for which the personal data are processed (data retention). While the data controller is responsible for ensuring compliance with these principles (accountability), appropriate steps must be taken to ensure the security of the personal data against unauthorised access, processing and accidental loss, destruction or damage (‘integrity and confidentiality’). The data protection law and/or regulation must also guarantee the standard data protection rights of the data subjects:
Right of Transparency in Dealing: The law should allow the data subject to get his/her data processed transparently. The controller shall take appropriate measures to expeditiously provide any information, free of charge, in writing, or by other means, relating to processing to the data subject a concise, transparent, intelligible and easily accessible form, using clear and plain language, within one month of requestor notify the data subject of the reason for the delay. Furthermore, the subject data also has the right to access information about why it is processed, who processes it and how it is being processed. In particular, the regulation should require the data controller to provide the identity of the data controller, contact details of data protection officer, the purpose of processing his/her data, and the possible third parties who might be receiving and processing the data. Furthermore, the data subject shall have the right to be informed of the existence of the right to request from the Controller access to and rectification or erasure of personal data. He also has the right to restrict to object to the processing of his data and the right to data portability, and the right to complain about a supervisory authority.
Right of Access to Personal Data: If it shall not adversely affect the rights and freedoms of others, the data subject has the right to obtain, free of charge, copy, including an electronic copy, of his/her data undergoing processing but further copies may request further hard copies at a reasonable fee to cover administrative costs.
Right to erasure (‘right to be forgotten’): The patients should be able to access, correct, and possibly remove health information stored about them. Under certain conditions, the data subject also has the right to request the data controller to, completely, erase personal data about him. The grounds upon which the data subject may request an erasure of his/her data include where the data is no longer necessary to achieve the primary purpose for which the data was initially collected, or where the data subject has withdrawn consent or objects to further processing under the regulation. Additionally, a request for erasure may not be denied where the data was unlawfully collected, or the erasure request complies with a valid law governing the data subject. However, the request for erasure may be denied where the information is necessary for exercising the right of freedom of expression and information, or for compliance with a legal obligation, for the reason of public interest, e.g., promoting public health, or for establishing or claiming a legal claim.
Right to restriction of processing (Opt-out): The data subject has the right to demand the restriction of further processing of his/her data collected by the data controller based on some condition precedent. These include if the accuracy of the data is contested until verified, or the processing is unlawful and the data subject objects to erasure, or, where the data controller no longer needs the data for the purpose it was collected, but the data subject requires it for establishing, exercising or defending a legal claim. In all such cases, the data may only be further processed with a fresh valid consent of the data subject unless the processing is necessary for the establishment, exercise or defence of legal claims or the protection of the rights of another natural or legal person or for reasons of important public interest.
Similarly, the data subject may object to the automated processing of his/her data where it is necessary for the performance of the controller’s public duty, or to pursue the legitimate interests pursued by the controller or by a third party. He may also object to automated individual decision-making, including profiling that could produce a legal effect to the data subject. The right to object to automate processing does not apply where it is according to a contract validly entered between the data subject and the data controller, or if it is authorised by law, or where the data subject has validly consented to it. Under such circumstances, the data controller is under a duty to safeguard the data subject’s legitimate rights and interests.
Right to Request Rectification: The personal data collected is shown to be incomplete or incorrect, the data subject has the right to demand rectification or completion of the data, including by way of providing supplementary information or statement. Pursuant to the data subjects’ right to rectification, erasure or restricting of further processing of his/her data, the controller shall communicate the fact to each recipient to whom the personal data have been disclosed, where possible, and if not disproportionate.
Modern data protection legislation should include all the listed data protection principles as well as the rights of data subjects to be able to provide an adequate level of protection to patients’ confidential information. We can recall that there a proposal for a draft e-privacy law for Saudi Arabia in 2015, which reportedly provided for all these requirements, but it is still yet to see the light of the day. Furthermore, there is, therefore, no comprehensive data protection law that includes these data protection principles and the rights of the data subjects.
7.10. Conclusion:
There is no doubt that the advances in information technology are fast-evolving and it is fast transforming human lives in many different ways. The transformation also includes the healthcare delivery sector of our human endeavours. Health professionals can now use technology to easily and efficiently diagnose, treat and follow up their patients much more easily in a much faster fashion. Patients can now seek health information, tips and advice on the internet or through social media. Social media is now useful in crowdsourcing for research, contact tracing during disaster, epidemics and outbreaks. It is no longer in dispute that information has many benefits for society. However, technology, especially and particularly information technology, be it the social media or the electronic health information system, or e-health concepts has made not only human social interaction easier but also the way that the patient and the healthcare professionals interact with each other within the purview of the confidential professional relationship. For this relationship to thrive, and nurture the required mutual trust between the patient and the healthcare professional, the latter commits to their duty to maintain the confidentiality of any personal information that the patient divulges to them to enable them for identifying and treating his ailment smoothly and successfully. However, the advances in modern information technology have created a potential risk to this right of confidentiality, which the patient has always enjoyed, as protected by the laws. It has been argued that the laws are not able to keep tab with the revolution going on in the information technology sector. This ensuing gap potentially gives way to unresolved grey areas. Of course, some regional bodies are making efforts to reduce, if not eliminate such risks resultant to the fast dynamics of the information technology. A good example of such effort is the European Union’s General Data Protection Regulation, 2016 that came into effect on May 26th, 2018. It has not only laid down some basic data protection principles but also given some rights and powers to data subjects, in this case, the patients, to control how who and for how long his/her data may be processed and shared. The GDPR may be considered as a wakeup call on all countries to optimise their laws to deal with the impact of technologies on the patient’s confidentiality rights. The professional bodies and regulators, too, should take advantage to, not only tailor their professional ethics and code to be contemporaneous with the advances in technology but to, also, ensure compliance with same, and the law. Technology is good for the patient, the healthcare professional and society at larger, but it has to be used with a caution against the attendant risk to the closely guarded trust created by the professional relationship between them. The increasingly new ways in which privacy and confidentiality right is at risk of violation in a technological age has not been sufficiently integrated into the current Saudi legal system, thus necessitating the adoption of a contemporaneous approach. In addition, Lord Hoffman had observed that many of the gaps in the legal protection of privacy interests require the formulation of specific and detailed rules in order to deal with competing interests, properly a task for the legislature, rather than the courts. The growing demand for personal data by both the government and businesses have placed the right to privacy is at risk of being eroded, unless a timely law reform and updates of the regulatory system is initiated to face the emergent challenges of protecting information privacy. Apart from the need for the laws to keep tab with such challenges, there may also be the need for ‘bringing about a fundamental shift in our thinking about privacy.’ Individuals must be better educated on and be aware, of the privacy risks of their communications in the digital spheres, in terms of increased sensitivity to the privacy of others and, hence, more alert to the requirement to prevent privacy invasions. The next chapter of the thesis is the summary, findings and conclusion.
Chapter Eight Summary, Findings, Conclusion And Recommendations
8.1 Summary
This part of the study summarises the previous seven chapters, analyse the findings of the research and proffer solutions to the problems identified in chapter one. The study focuses mainly on HCP-patient confidentiality. It is an investigation into the adequacy of the Saudi Arabian legal system to afford patients protection for their private information as they seek care from HCPs. The study notes that, Saudi Arabia operates a unique legal system that derives its source from the Shari’ah. As such what determines law in Saudi Arabia is based on the provisions of the Qur’an and the Sunnah of Allah’s Messenger, Prophet Muhammad (PBUH). Other sources include the reasoning of Islamic jurists based on the tenets of Islam. Consequent upon this, it is further noted that, the approach to law-making in Saudi Arabia is different from what is obtainable in other jurisdictions. Without a doubt, patient confidentiality is important as well as a sensitive issue globally. It is a fundament human right for a patient to have their personal information kept private. This right finds support in international instruments as well as in Islam. It is an obligation every HCP should be bound by. It is both a legal duty as well as an ethical responsibility. In contemporary times, patient confidentiality has been receiving attention due to the increase of breaches of patient confidentiality. It is a global problem as well as a domestic challenge. This study demonstrates the importance of providing adequate safeguards for patient confidentiality. In doing so, they need to ensure that, there is a clear framework to guide HCPs becomes imperative. Hence, this study seeks to provide solutions to this challenge taking into context the unique nature of the Saudi Arabia legal system. That said, it is imperative to note that this is not a comparative study of the legal protection of patient confidentiality under the Saudi Arabian and European jurisdictions. Rather, it is an assessment of the adequacy of the legal safeguard to the right of privacy and confidentiality by using the triple test, the constituent elements of which are ingrained in the UDHR and other IHRLs, which are universally applied and accepted by Saudi Arabia. Nevertheless, this researcher sometimes uses the Strasburg’s interpretation as a guide to show how the legal systems may adapt to cater to advances in technology. The aim here is to highlight that the Saudi legal system can be modified to keep pace with societal changes while at the same time maintaining strict compliance with the principles of Islam. God’s principles do not change. However, there is a need for a liberal approach instead of a more conservative one in addressing advances in technology. There are numerous cases of situations where the Shari’ah system has adopted a liberal approach to law-making while at the same time maintaining God’s principle. For example, only married Muslim couples may seek IVF treatment. While this acknowledges advancement in technology, it is still within the ambit of Allah’s law and maintaining the sanctity of marriage. This study identifies that, the use of the internet and electronic health management affects how patients’ records are stored. This practice might lead to breaches of patients’ confidentiality. Therefore, HCPs need to be trained on the best way to utilise data management systems.
With regards to the development of an enhanced framework capable of providing a point of reference among Saudi Arabia’s peers in the Middle East, a Saudi Arabian patient confidentiality system must be developed. This framework will yield results that the Saudi Arabian National Health Service can utilise to build and develop good practice in the protection of the right to patient confidentiality. A key consideration in the study is that domestic legislation should maintain a duty of confidentiality as part of an individual’s rights to protect their freedom and privacy, where nobody is allowed to access confidential information without permission. The research maintains that the patients will be at peace to reveal personal information to HCPs, if they are assured that, what they say or what the HCP discovers will be kept secret even when the patient is dead. This assurance will enable patients to open up so that the HCP can get the right prognosis and offer the correct treatment. It is noted that, such information can only be released based on an exception known to, and approved by law. In conclusion, in line with the research objectives for this thesis identified in section 1.2 of chapter one, the research explains what is meant by patient confidentiality and elucidate how this right is protected by international instruments and Islamic traditions. The study highlights the practice that has been developed under IHRL as further expounded upon by the ECtHR i.e., the application of the triple test in determining when a right may be curtailed. In light of the IHRLs, the study assesses the domestic laws in Saudi Arabia to determine the adequacy of the laws to protect patient confidentiality. The analysis shows that, although there are laws meant to protect a patient’s confidentiality information, these laws need to be reviewed to cater the challenges posed by the increase in the use of the internet and e-health management systems. Based on the foregoing, the study represents effective recommendations for the policymakers in the Kingdom of Saudi Arabia and also identifies areas for future study.
8.2 Linking the Study with Theories Discussed
In order to provide solutions to the problem identified in this study, the researcher explores two theories. These theories are human rights in Islam and human rights in patient care. These theories are first mentioned in section 1.5 of chapter one.
8.2.1 Human Rights in Islam
It is imperative to link the patient’s confidentiality right to human rights as viewed under the Shari’ah. It is worthy of note that, some proponents of human rights wrongly assume that, Islam is incompatible with human rights. For example, reference is made to Saudi Arabia’s use of lashing as a form of punishment for a crime committed. However, it is worthy to note that Saudi Arabia has abolished lashing as a form of punishment as a result of ‘human rights’ reforms spearheaded by King Salman Bin Abdul Aziz and his son, the Kingdom’s de facto ruler, Crown Prince Mohammed bin Salman. The truth is that Islam respects human rights but all ‘rights are subject to Islamic Shari’ah’ Consequent upon the foregoing, it needs to be emphasised that Islam supports human rights that are not incompatible with the Shari’ah. Human rights in Islam are provided for by virtue of the two main sources of Islam i.e., the Qur’an (the Holy book in Islam) and the Sunnah (sayings and deeds of the prophet of Islam). These rights include the right to life, the right to live in dignity, the right to justice, the right to equality before the law, the right of choice, right of free expression, the right to privacy, the right to property and the right to necessities of life. Human rights in Islam mean those rights that have been ordained by Allah for mankind. For these rights to be enjoyed they have to have their source in Islam. As Baderin notes, the right must be corroborated by the Qur’an unambiguously. This thesis identifies that the right to confidentiality is supported by Islam. The Shari’ah gives preference to confidentiality as a human right. In Islam keeping confidentiality is one of the main sources of a good relationship. In Islam, teaching a child about confidentiality is a Sunnah. Imam Mowardi stated that confidentiality is strength of man through which he can keep from disclosing personal information and successfully achieve his goal. Based on Islamic principles of human rights and the need to protect patient confidentiality, Saudi Arabia must take steps to ensure that, patient confidentiality is protected and that the state must seek to match the pace of technology while ensuring that this is in line with the Shari’ah
8.2.2 Human Rights in Patient Care
Human rights in patient care recognise that HCPs are important actors whose rights must be respected just as the right to the patient to receive efficient services that must meet with international standards. Under best international practice the right to patient confidentiality may only be violated in any of the following situations:
Patient medical information is available to all staff;
Patients are forced to disclose their medical diagnosis to their employer to obtain leave from work;
Medical examinations take place in public conditions etc.
Following from the above, in order to measure what the best international standard is, this study choses the provisions of the UDHR and other IHRLs that are universally applied and accepted by Saudi Arabia, and as developed by the ECtHR. Thus, for there to be an exception to the right to patient confidentiality, the exception must pass the three tests. These tests are as follows:
The legality test – the exception in question must be recognised by law;
The legitimate aim test – the exception to the right to confidentiality must be pursuant to achieving a public aim or purpose; and
Proportionality test – apart from being known to law and seeking to achieve a public purpose, the exception must be proportional to the aim pursued.
Under the IHRLs, any exception that does not pass (comply with the three requirements legality, necessity and proportionality) the triple tests must not be accommodated. This study notes, however, that while these tests reflect best international practice, its application in the Saudi context must only be where it does not contradict the Qur’an and Sunnah.
8.3 Findings of the Study
It is anticipated that, the findings of this study may be of interest to both academic and professional communities in the Kingdom of Saudi Arabia. After a review of the laws and soft norms available for protecting patient confidentiality in Saudi Arabia in relation to best international standards, some findings have been made. At the risk of repetition, it needs to be stated here too that while the IHRLs serve as a model for a review of the Saudi framework, the lessons learnt must be in line with the principles of the Islamic Shari’ah. Below are the findings of the study:
The Shari’ah recognises the right to patient confidentiality.
There are laws in Saudi that seek to protect patient confidentiality. These laws have their root in the Shari’ah.
There are no fundamental difference the IHRLs and the Saudi laws in the concept of privacy and confidentiality, however, the laws lag behind modern developments in technology as novel technologies expose grey areas in the prevailing laws;
Also, there are problems in its application, enforcement and adjudication. These problems include the lack of foreseeability, binding precedent, and civil remedy for its infringement.
The current framework offers a weak, fractured and piecemeal approach to protect patient confidentiality;
Any reference to ‘law’ under the Shari’ah inspired human rights instruments is a reference to the Shari’ah only;
Saudi Arabia is making progress in its human rights application and its involvement in human rights issues at the UN but their fundamental differences remain wide as Saudi laws are entirely Shari’ah-based.
8.3 Conclusion
This study examines whether the laws in Saudi Arabia adequately provide safeguards for patient confidentiality. The core objective is to emphasise the need for the patients to be assured that, their private information will not be abused by HCPs. At the same time based on human rights and patient care theory, the study recognises that, the HCP has a duty under certain circumstances to disclose what is otherwise regarded as private information. Unquestionably, patient confidentiality is a delicate issue and is important to have an effective HCP-patient relationship. It is a patient’s fundamental right to have their information secret by the HCP. This study is necessitated by the growth in the use of modern technologies and the impact it can have on patients’ data. The study demonstrates that, Saudi Arabia already has a framework for the protection of patients’ private information. However, protection in place is defective and not dynamic.
8.4 Contribution to Knowledge
The focus of this research is to contribute to the development of a framework for the protection of the right to patient confidentiality in the Kingdom of Saudi Arabia. Furthermore, this study contributes to the development of a framework for the protection of patient confidentiality in Saudi Arabia. The research reviews Saudi laws and current practice for the protection of the patients’ right to confidentiality testing the same with the IHRLs.
8.5 Recommendations
8.5.1 Recommendations for a Legal Reform:
The application of Shari’ah principles and rules that protect information privacy need to be further developed to provide individuals with an adequate level of privacy protection in the digital era. To do so, there is a need for a dynamic approach to law-making. In so doing, it is recommended that, a liberal approach is also adopted. Nevertheless, patient confidentiality in Saudi Arabia must be pursued in full compliance with the Shari’ah. Furthermore, when it comes to the interpretation of the laws, judges should take into reckoning the need for the HCPs to protect patient confidentiality as well as the duty of the HCPs to disclose information in the public interests as encapsulated in the theory of human right in patient care. Furthermore, there is a need to codify Shari’ah principles to ensure clarity and to guide the judges regarding new issues developed via Ijtihad process. There should be a clear and comprehensive set of privacy and data protection principles, similar to those available under the IHRLs, as applied in other jurisdictions, e.g., the European GDPR. This should inform the basis for future Saudi legislation on privacy and confidentiality rights. An alternative is to review and complete the process of enacting the previously proposed e-privacy law, which had already been incorporated most of the listed data protection principles and the rights of the data subjects. Furthermore, such principles could guide the decisions of the relevant regulators and state authorities concerned with information privacy and data collection in different contexts. Such a comprehensive law should:
Define identifiable health information, and classify it as highly sensitive,
Provide privacy safeguards based on fair information practices,
Empower patients with the right of control over their data
Limit disclosures of health data without the patient’s consent,
Incorporate all data protection principles,
Establish a national data protection authority, and
Provide a national minimal level of privacy protections
The reformation of the existing privacy laws in order to ensure consistency with the privacy principles which could mitigate the current challenges (e.g., ease of access and sharing of private data) posed by the advances in information technologies. The promotion of a greater regulatory can be developed by defining and emplacing data controllers, and offering them clear roles and responsibilities. There should be an effort to rationalise and consolidate the current approach to the regulation of surveillance and data collection in Saudi Arabia, with particular attention paid to the right of data subjects in controlling the processing of own data. In particular, the current laws that justify selected infringements of privacy rights should stipulate specific circumstances under which specific information are disclosed to identify third parties, and the period for which they may retain the data. The law should further provide for safeguard from secondary sharing of the same data.
8.5.2. Recommendations for Improved Technologies and Applications
Improved technological, organisational, and other means of protection should play an integral part in Saudi Arabian information privacy protection. Some other non-legal approaches could also play an important part in upholding the information privacy rights. In this vein, Saudi Arabia could enhance the following:
Improving self-regulatory approaches, including sanctioning of HCPs by professional bodies, where the members violate the right of the patient to confidentiality.
To embark on public awareness and education of both the professionals and the public on their rights, obligations and responsibilities in upholding the privacy rights.
Adopting 'privacy-enhancing technologies' and other security tools to protect health information systems from any unlawful access.
To adopt ‘privacy by design’, so that patient privacy is a major consideration at the stage of design and development of information systems. The system has to put into consideration, the multiple conflicting interests, to wit, the patient’s interest to ensure that no one has unnecessary access to his data, the hospital administrator’s interest to ensure unimpeded access to data needed for management, and the physicians’ interest to avoid the time-consuming limitation on medical practice.
8.5.3 Recommendations Regarding the Use of Electronic Information Systems by HCPs
In addition to the points noted in section 8.5.2 above, HCPs have a role to play to ensure that the right to patient confidentiality is protected. Apart from the extant laws already in place, there is a need to put in place a system, which would protect both the HCPs and their patients. As such, this researcher recommends as follows:
Any technology to be deployed for the management of patient data in Saudi hospitals and medical facilities must be assessed to ensure that, they are well secured before any such deployment.
Dedicated IT experts should be involved in the management of the technology or software to ensure that data breaches do not occur. Security controls to tighten as well as limit the use of patient medical information electronically. All electronic systems must be password protected to prevent unauthorised use of the electronic systems. In addition, all those with clearance to use the IT systems must be made to change their passwords at regular intervals. Passwords must not be disclosed to colleagues or even to IT staff.
All HCPs should not be allowed to use their private computers within the medical facilities. Only approved official computers should be used and the feature to use CDs or USB sticks on official computers must be restricted. This will prevent HCPs from taking out files from the medical facilities.
8.6 Future Research
As noted in section 1.8 in chapter one of this study, there is a dearth of literature dealing with the right to patient confidentiality in Saudi Arabia. As a corollary, the need for further studies in line with this present research cannot be overemphasised. Further studies in this area will develop both the healthcare practice in Saudi Arabia as well as it gives direction to the policymakers in the country. There is thus, much room for further exploration and opportunities for the research. There is also a need for an empirical study to examine how the recommendations suggested in this study can be applied in practice in the country. In the same vein, this researcher believes that, the limitations of this research identified in chapter one of this thesis form the bases for further research, and in this respect, the following points should attract interest to the researchers as areas for exploration:
A further study may examine patient privacy as distinct from the patient confidentiality. While the present study focuses on patient confidentiality, an approach at patient privacy should be of interest to the researchers in future.
There is a need for a comparative study with other jurisdictions that share similar cultures and legal system with Saudi Arabia. The lessons, learnt from such studies, can help to improve the framework in Islamic jurisdictions.
Bibliography
Annas, GJ, The Rights of Patients: The Basic ACLU Guide to Patient Rights. (Springer Science & Business Media 2012).
Baderin, MA, International Human Rights and Islamic Law (Oxford University Press 2010).
Breen, K. J., Cordner, SM, Thomson, C. J., & Plueckhahn, VD, Good Medical Practice: Professionalism, Ethics and Law (Cambridge University Press 2010).
Burrows, J, & Cheer, U, Media Law in New Zealand (4th ed.) (Oxford University Press 2005).
Bygrave, L, Data Protection Law (1st ed.) (Kluwer Law International 2002)
Dabitin, B. ‘Ethics, Privacy, and Self-Restraint in Social Networking’ In S. Trepte & L. Reinecke (Eds.), Privacy Online: Perspectives on Privacy and Self-Disclosure in the Social Web (Springer 2011).
Diehl, PF, & Ku, C, The Dynamics of International Law. (Cambridge University Press 2010).
Elgujja, AA, Medical Negligence Litigation Systems in the UK and Saudi Arabia. (Lap Lambert Publishing 2015).
Lowrance, WW, Privacy, confidentiality, and health research. (Cambridge University Press 2012).
Nagy, TF, Essential Ethics for Psychologists: A primer for Understanding and Mastering Core Issues (American Psychological Association 2011).
Nußberger, A. ‘Hard Law or Soft law—Does it matter?’ in Aaken A & I Motoc (eds), The European Convention on Human Rights and General International Law (Oxford University Press 2018).
OECD, Evaluating Laws and Regulations the Case of the Chilean Chamber of Deputies (OECD Publishing 2012)
Parekh, B, ‘Non-Ethnocentric Universalism’ In NJ Wheeler (Ed.), Human Rights in Global Politics. (Cambridge University Press 1999).
Pollis, A., Pollis, AF., & Schwab, P, Human Rights: Cultural and Ideological Perspectives. (Greenwood 1979).
Pollis, A, & Schwab, P, Human Rights: New Perspectives, New Realities. Lynne (Rienner Publishers 2000)
Wickramasinghe, N, Troshani, I, & Tan, J, Contemporary Consumer Health Informatics (Springer 2016).
Ajaj, S. A, ‘Improving Patient Confidentiality Systems in Libya Using UK Experience’ [Unpublished doctoral dissertation 2012]. University of Gloucestershire.
Alhammad, O, ‘Assessing Outpatients’ Attitudes and Expectations Towards Electronic Personal Health Records (EPHR) Systems in Secondary and Tertiary Hospitals in Riyadh, Saudi Arabia’ [Unpublished master's thesis 2017]. University Hamilton, Ontario.
AlHemaidi, W, ‘The Dilemma of Regulating Privacy Planning Regulations, Privacy and House Form; The Case Study of Low-Density Single-Family Dwellings in Saudi Arabia’ [Unpublished doctoral dissertation 1996]. University of London.
Al-umaran, S, ‘Culture Dimensions of Information Systems Security in Saudi Arabia National Health Services’ [Unpublished doctoral dissertation 2015]. De Montfort University, Leicester.
Collingwood, L. ‘Privacy Protection under the English Legal System: Is It Adequate given the Challenges Raised by Online Communicating between Individuals?’ [Unpublished doctoral dissertation 2013]. Kingston University London.
Mouhamad, A, ‘Electronic Patient Record Security Policy in Saudi Arabia National Health Service’ [Unpublished doctoral dissertation 2012]. De Montfort University, Leicester.
What Makes Us Unique
- 24/7 Customer Support
- 100% Customer Satisfaction
- No Privacy Violation
- Quick Services
- Subject Experts
