Right to Privacy Requires Strict Controls, Safeguards and Protection of Health Information

I v Finland [2008] ECHR 20511/03 (17 July 2008)

The European Court of Human Rights has held that the measures taken by a Finnish hospital to safeguard the right to respect for private life of an HIV-positive patient of the hospital, who was also employed by the hospital from time to time as a nurse, were inadequate and in violation of art 8 (the right to respect for private life) of the European Convention on Human Rights.


Between 1989 and 1994, the applicant worked on fixed-term contracts as a nurse in the polyclinic for eye diseases in a public hospital in Finland.  From 1987 she paid regular visits to the polyclinic for infectious diseases of the same hospital, having been diagnosed as HIV-positive.  At that time, hospital staff had free access to the patient register which contained information on patients’ diagnoses and treating doctors.  Following her insistence, the hospital’s register was amended so that only the treating clinic’s personnel had access to its patients’ records.

In November 1996, the applicant lodged a complaint regarding misuse of her personal records with the County Administrative Board, requesting it to examine who had accessed her confidential patient record.  The hospital’s archives director filed a statement explaining it was not possible to find out who, if anyone, had accessed the applicant’s patient record as the data system revealed only the five most recent consultations (by working unit and not by person) and even this information was deleted once the file was returned to the archives.  Consequently, the applicant’s complaint was dismissed.  However, the hospital’s register management process was amended so that it became possible retrospectively to identify any person who had accessed a patient record.

A series of civil appeals brought by the applicant in the District Court and Court of Appeal against the district health authority administering the hospital were also dismissed, again because of the applicant’s inability to provide firm evidence that her patient record had been unlawfully consulted.  Leave to appeal to the Finnish Supreme Court was refused and the applicant filed proceedings in the European Court of Human Rights.


The applicant complained that the district health authority had failed in its duties to establish a register from which her confidential patient information could not be improperly disclosed, in breach of art 8 of the Convention, and that the requirement that the register be capable of ‘retrospective control’ (i.e. access accountability) was critical.

The Finnish Government contended that domestic legislation adequately protected patient records, and that ‘a hospital’s system for recording and retrieving patient information could only be based on detailed instructions and their observance, the high moral standards of the personnel, and a statutory secrecy obligation…. [and that it] … would not have been possible for the hospital to create a system verifying in advance the authenticity of each request for information as patient records were often needed urgently and immediately.’

The European Court confirmed that medical records were within the scope of art 8 of the Convention, and that ‘[t]he protection of personal data, in particular medical data, is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life.’

In acknowledging that the primary — negative — object of art 8 ‘is essentially that of protecting the individual against arbitrary interference by the public authorities’, the Court emphasised that there may in addition ‘be positive obligations inherent in an effective respect for private or family life’, and that ‘these obligations may involve the adoption of measures designed to secure respect for private life even in the sphere of the relations of individuals between themselves…’.

The European Court noted that it was ‘crucial not only to respect the … privacy of a patient but also to preserve his or her confidence in the medical profession and in the health services in general … especially … as regards protection of the confidentiality of information about a person’s HIV infection, given the sensitive issues surrounding this disease.’  It found that ‘the applicant lost her civil action because she was unable to prove on the facts a causal connection between the deficiencies in the access security rules and the dissemination of information about her medical condition.’  It continued: ‘However, to place such a burden of proof on the applicant is [unfair]…. [H]ad the hospital provided a greater control over access to health records by restricting access to health professionals directly involved in the applicant’s treatment or by maintaining a log of all persons who had accessed the applicant’s medical file, the applicant would have been placed in a less disadvantaged position before the domestic courts.’

Finally, the European Court noted ‘that the mere fact that the domestic legislation provided the applicant with an opportunity to claim compensation … was not sufficient to protect her private life.  What is required in this connection is practical and effective protection to exclude any possibility of unauthorised access occurring in the first place.  Such protection was not given here.’

Relevance to the Victorian Charter

A fundamental question will arise as to whether the language of s 13 (privacy and reputation) of the Victorian Charter is capable of supporting the ‘positive obligations’ referred to by the European Court in I v Finland.

Section 13(a) provides relevantly that ‘[a] person has the right not to have his or her privacy … unlawfully or arbitrarily interfered with’, an expression to be contrasted with the more positive language of art 8 of the Convention, which provides that ‘everyone has the right to respect for his private … life’.

Given the expression of the rights in the Charter and the operation of s 38, and assuming that the European Court’s view that medical records will fall within the scope of what constitutes the ‘privacy’ of an individual, the application of s 13, in respect of medical records, may be limited to a restriction on the use of such records by public authorities which would constitute unlawful or arbitrary interference.  This would mean that the Charter would impose less onerous obligations on Victorian public authorities in respect of the protection of medical records from non-public authority third parties than would be the case under the Convention.

Peter Henley, Human Rights Law Group, Mallesons Stephen Jaques