Confidentiality, public interest, and the human right to science: when can confidential information be used for the benefit of the wider community?

Edward Dove is Reader in Health Law and Regulation at the School of Law, University of Edinburgh, and Deputy Director of the J Kenyon Mason Institute for Medicine, Life Sciences and Law.

Journal of Law and the Biosciences, Volume 10, Issue 1, January-June 2023, lsad013, https://doi.org/10.1093/jlb/lsad013

14 June 2023 07 February 2023 27 April 2023 14 June 2023

Cite

Edward S Dove, Confidentiality, public interest, and the human right to science: when can confidential information be used for the benefit of the wider community?, Journal of Law and the Biosciences, Volume 10, Issue 1, January-June 2023, lsad013, https://doi.org/10.1093/jlb/lsad013

Navbar Search Filter Mobile Enter search term Search Navbar Search Filter Enter search term Search

Abstract

This article explores whether the human right to science can support the public interest as a legal basis to use and disclose confidential information. The contextual focus is scientific research; the jurisdictional focus is England. The human right to science, as reflected in the Universal Declaration of Human Rights (Article 27) and the International Covenant on Economic, Social and Cultural Rights (Article 15), hitherto has not been invoked in support of a public interest basis for lawful disclosure, but the argument is made herein that there may be scope to develop this jurisprudentially. On grounds of both law and policy, and in line with the underlying rationale of recent UK Government deployment of ‘COPI Notices’ for lawful use of confidential patient information in the course of the COVID-19 pandemic, I contend that the human right to science may well serve as a valuable juridical buttress to an overriding public interest justification to lawfully share confidential information. However, this could occur only in restricted circumstances where the public interest is clearly manifest, namely studies researching serious, imminent health threats to the general population that rely on confidential information accessed outside of existing statutory gateways, and not more routine scientific endeavors.

I. INTRODUCTION

Individual-level information holds tremendous value for research organizations, healthcare systems, and commercial companies alike. Information gathered from individuals—be they patients, research participants, or otherwise—and be it in the form of health data, education data, socioeconomic data, political opinion data, or otherwise—helps contribute to better understandings of disease, public health threats, and human wellbeing more generally. These better understandings may, in turn, lead to lucrative, life-enhancing innovations in the form of diagnostics, therapeutics, vaccines, and devices—all of which hold even more tremendous value in the midst of a public health emergency. Additionally, and generally speaking, the more information that is obtainable in great volume, and the more information that is obtainable in identifiable form, the greater the value it holds, as there is better opportunity to make linkages across different data sets, to combine it with other data sets, run analyses, and to identify correlations and causations. 1 There is considerable scientific and commercial imperative to gather information on a cumulative basis, both for its current and potential future value.

Cutting across this desire is a counterweight in the law, reflected in distinct but at-times overlapping legal regimes, namely confidentiality law, privacy law, and data protection law, all of which to seek to protect rights of individuals and limit uses of information relating to them. In this article, and in the interest of space, I focus only on confidentiality law and within the jurisdictional confines of England. Confidentiality law is a common law doctrine with strong roots in equity; privacy law, on the other hand, is an emerging regime in England, grounded both in human rights (in particular Article 8 of the European Convention on Human Rights, or ECHR) and in domestic jurisprudence, with the latter recognizing privacy (as one example) as meriting a stand-alone tort in the informational context only in 2004, 2 and, north of the border in Scotland, as a domestic right only in 2019. 3 Statute-driven data protection law has been in place in many countries around the world since the late 20th century, coincidental with the rise of automated systems (particularly computers) that process personal data; it seeks to protect against actions that can interfere with the fundamental rights of persons, including their generalized rights to privacy and to data protection. 4 By contrast, confidentiality law holds that confidants (ie, recipients) of information, which has the necessary quality of confidence about it, are duty-bound to hold that information in confidence (that is, in secret), unless there is a lawful basis for disclosure, such as the consent of the confider. The doctor-patient relationship is a classic scenario in which the duty of confidence arises. 5 It dictates that a duty is owed by the doctor to the patient in relation to almost all of the information disclosed in the course of encounters between these two parties (save for mere trivial tittle-tattle 6 ).

The duty of confidentiality holds firm even as the traditional dyadic doctor-patient relationship has transformed in the 21st century, where the patient encounters a complex healthcare system, and research participants encounter a complex health research system, in which ‘the specialisation of care has resulted in the treatment details of each person needing to be shared between a team of practitioners’ 7 (and equivalent through research staff), and even as growing amounts of data are shared through multiple dispersed data sharing platforms, networks, and technologies. In each of these encounters with doctors, scientists, and the larger ‘system’, a duty of confidentiality potentially arises, although the legal landscape becomes increasingly unclear both with respect to who owes such a duty, the nature and extent of the duty, and the respective rights of the persons to whom the confidential information relates. As the amount of information obtained from individuals surges and is stored in an ever-increasing number of databases with linkages sought between them, questions arise regarding the extant legal and policy balance between the value of sharing confidential information for the benefit of the wider community and the value of protecting such information on both intrinsic and instrumental grounds.

In this article, I want to focus on a particular basis in confidentiality law that would—in principle—allow for the lawful use and disclosure of various types of confidential information for secondary use purposes, 8 such as scientific research, that could be seen as a benefit for the wider community. This basis is known as the public interest. As this article will discuss, the public interest is a nebulous concept that shapeshifts over the years as underlying social values and norms evolve in society. 9 Nonetheless, it retains coherence and meaning and has received jurisprudential treatment (as well as doctrinal analysis and insight from professional guidance) that helps aid our analysis of its workings. Much of that treatment has come through interpretations of the duty of confidentiality and the allied and emerging tort of misuse of private information as viewed through the lens of the ECHR, notably Article 8 (right to privacy), frequently read in tandem with Article 10 (freedom of expression)—not to mention their limitations under Articles 8(2) and 10(2), respectively—and both of which have been domesticated in the UK’s Human Rights Act 1998 (HRA 1998). Deeper understanding of the public interest is also beginning to emerge from academic commentary on the interpretation of the United Kingdom’s Data Protection Act 2018, which introduces a new public interest test applicable to the scientific research processing of personal health data. 10

What has not received any consideration to date, however, is whether there are other normative instruments, including other human rights instruments ostensibly with some legal effect in the UK, such as the International Covenant on Economic, Social and Cultural Rights (ICESCR)—and even more hortatory instruments such as the Universal Declaration of Human Rights (UDHR)—that could have a bearing on the interpretation and scope of the public interest as a basis to justify the use and disclosure of confidential information. This is worthy of exploration for two reasons. First, it raises significant potential (at least at first glance) for expanding the circumstances in which confidential information can be used for the benefit of the wider community—even in the absence of consent signaled from the rights-bearing confider. Second, it brings much-needed clarity to the interplay between confidentiality, the public interest, and human rights—including those that are not incorporated in the HRA 1998.

In what follows, I examine the extent to which one specific article in two legal instruments, the ICESCR and UDHR, may be lawfully invoked to help ground a public interest basis for the lawful disclosure of confidential information in certain circumstances. This is Article 15(1)(b) and Article 27(1), respectively—each of which speaks to ‘the right of everyone to enjoy the benefits of scientific progress and its applications’ (ICESCR) and ‘to share in scientific advancement and its benefits’ (UDHR). In shorthand, and colloquial language, this is frequently referred to as the ‘human right to science’. Thus, the key question at the heart of this article becomes this: can a confidant (data custodian)—a person or institution 11 who otherwise is obliged not to disclose confidential information they have received—lawfully share a person’s confidential information for a secondary purpose, namely a scientific research purpose, without that person’s consent, on a public interest basis? The foundation of an argument to this effect would be grounded in a claim that there is an overriding public interest that the information ought to be used for research into a matter that is of wide benefit to the community and in so doing can (help) enable everyone to enjoy the benefits of scientific progress and its applications. Put more simply: just how far, if at all, can we stretch the public interest basis in the law of confidentiality, and to what extent might the human right to science assist?

The question is not merely an academic exercise. On a daily basis, data custodians must ensure that they are adhering to ethical and legal obligations in their work with identifiable (and non-identifiable) information. In some jurisdictions, while consent might operate as the primary legal basis to use and disclose confidential information, especially for non-direct care purposes such as research, there are many circumstances in which this may be neither possible nor the most appropriate basis. Parliament itself has recognized this, creating some years ago a statutory gateway applicable in England and Wales, known as ‘section 251 approval’, to permit disclosure and use of ‘confidential patient information’ for a ‘medical purpose’ (including ‘medical research’), on a public interest basis, without consent 12 (as will be discussed). Northern Ireland has also recognized this, passing legislation that enables the use of health and social care information which identifies individuals to be used for health care or social care purposes which are in the public interest, without the consent of the individuals whose information may be used. 13 Circumstances in which consent may be neither possible nor the most appropriate basis include use of information that relates to persons who have since died (the obligation of confidentiality continues for some time after death 14 ), and where it would be impracticable to obtain the consent from a massive cohort of individuals. Indeed, many in the public health research community prefer to make available and have access to individual-level information for secondary uses in ways that respect ethical and legal norms, but not necessarily through the prism and paradigm of consent. 15 This is especially the case with large-scale data linkage projects and use of data that was originally collected many years prior. As Adams and colleagues note: ‘Seeking consent is often problematic in data-intensive research because the linkage and extraction of data are remote in time and place from the original collection of data in the healthcare facility.’ 16 Outside the scope of explicit consent for use of information within a specific research project, ‘[r]eliance on extended or unspecified consent, or on implied consent, leaves the person disclosing the information vulnerable to an action for breach of confidence because of the uncertainty about the validity and scope of the consent.’ 17

Many scholars have noted the drawbacks and weaknesses with consent operating as a (primary) legal basis in this area, including, inter alia, difficulty obtaining truly informed consent (eg, information overload and complexity for individuals providing their consent, difficulty tracing all individuals to obtain their consent); selection bias; and the failure of consent (or wrongful belief in consent) to act as an adequate—much less complete—safeguard for the privacy and safety of information stored in databases. 18 Outside the existing statutory gateway for disclosing ‘confidential patient information’, were data custodians able to lawfully disclose and use other kinds of confidential information without having to seek and obtain the consent of the person to whom the information relates, and instead rely on the basis of an overriding public interest, it would enable a more cost-effective, efficient, as well as unprecedented level of access to information and thereby create a boon for science. But it would likely also generate concern for the adequate protection of confidential information of individuals availing themselves of various services, be they in health, employment, or education. Thus, beyond the primary legal question phrased above, a more socio-political question also arises: is the public interest legal basis, to enable confidential information sharing without consent for research purposes, one that is considered reasonable and acceptable by society, and if so, for which specific kinds of research purposes? This question concerns matters of political legitimacy, social acceptability, and social license; it is a question that I cannot hope to address in this article, which focuses on the legal question, but I acknowledge that social, political, and ethical values are critically important and would also have to be addressed to fully flesh out this issue.

To answer the legal question, the article is organized as follows. In Section 2, I provide a brief primer on confidentiality law and its centuries of jurisprudential development. In the medico-scientific context, confidentiality protects not only the information disclosed by a patient to their doctor and healthcare team, but also, in more recent years, by a research participant to the research staff. In both instances, the relationship may be governed by a contractual or equitable obligation owed to the confider. I demonstrate here that the paradigmatic framing of a doctor-patient relationship is not, in fact, a true reflection of the actual or potential nature and limits of the duty of confidence, as seen for instance in the context of a researcher-participant relationship (not to mention employer-employee relationships), and this therefore may start to open to the door to a possibly broader public interest argument.

In Section 3, taking up the interim conclusion in Section 2, I briefly cover the available legal bases to lawfully share confidential information, focusing on the public interest basis. Looking at jurisprudence, academic commentary, legislation, regulatory guidance, and (albeit limited) public opinion polling, I argue that the categories that fall within this basis are broader than we may think; there is some jurisprudential, doctrinal, and public openness to going beyond ‘traditional’ categories of the public interest, namely risk of serious harm or risk of serious crime.

Section 4 then analyzes the human right to science and the extent of its domestic implementation and jurisprudential take-up in the UK, exploring the potential for this human right to serve either as a right on its own that conflicts with a ‘right’ of confidentiality such that it may override the latter, or, as I go on to suggest, more of a juridical ‘buttress’ to a public interest basis for confidential information disclosures.

I then turn in Section 5 to discuss two hypothetical scenarios as a means to consider whether the public interest may be expanded to permit a lawful breach of confidentiality with the added reinforcement of the human right to science. I argue that this is indeed possible, but likely only in research scenarios involving serious, imminent health threats to the general population, such as public health emergencies, as this is a purpose that would most clearly meet a common understanding of the public interest and reflects a ‘net interest’ in which all members of the public have in common. Support for my argument that the public interest is an appropriate legal basis for use of confidential information limited to this context is garnered from the recent UK Government deployment of ‘COPI Notices’ during the COVID-19 pandemic. It is worth noting here that while England is this article’s jurisdictional focus, these two hypothetical scenarios are of wider significance for other common law jurisdictions (not to mention civil law jurisdictions which also recognize a duty of confidence).

Finally, in Section 6, I bring the analysis together to conclude that ultimately, while the scope of the public interest in confidentiality law is indeed flexible, and some forms of scientific research may fulfil the necessarily strict criteria to permit lawful disclosure in the absence of consent, the very nature of the public interest serving as an exception to the duty means that caution and precaution must be the guardians of any expansion. The ‘hook’ of the human right to science would buttress a public interest legal basis to override the duty of confidentiality, but in England, given limited recognition of human rights not explicitly domesticated in law, the human right to science could not serve in its own right as a justiciable right that might override and come into conflict with a common law right and civil right such as confidentiality (and, more arguably, privacy 19 ). Yet even in serving as a buttress, recognizing the human right to science within confidentiality law could provide firmer, more robust justification for disclosures grounded in an overriding public interest. This said, I argue that for most kinds of scientific research outside the confines of a public health emergency, the public interest basis would be of limited to no utility and another lawful basis would be required to use and disclose confidential information. Invariably that will—or should—equate to obtaining either section 251 approval to the extent the context is ‘medical research’ that involves ‘confidential patient information’, or otherwise obtaining the explicit consent of the individuals involved. This demonstrates both the inherent limits of international human rights generally, especially as they are treated in domestic courts, as well as a rather cautious approach and interpretation to the common law, which interestingly appears more pronounced in England than in other jurisdictions, including those within the UK. 20

II. CONFIDENTIALITY LAW: A BRIEF PRIMER

The law of confidentiality is an ancient doctrine in England, incrementally developed by courts over the centuries and in recent times, modified to some degree by statute law (as discussed below). Unlike in the USA, the doctrine has long been viewed as a core part of private law obligations. 21 Some of its elements related to good faith and conscience may be traced to the early courts of equity, but firmer roots began to appear in 18th-century jurisprudence. 22 Its core elements are seen in cases such as Abernethy v Hutchinson 23 and Prince Albert v Strange, 24 where English courts recognized that people may have a legal duty—be it implied or explicit—under trust or confidence (together comprising obligations arising in equity), or contract, to not disclose or otherwise make available information (or material) that has the necessary quality of confidence about it, in the absence of a lawful basis. 25 In more recent times, courts have explicitly recognized the public interest basis of the duty of confidence. In Attorney-General v Guardian Newspapers (No 2) (often called the Spycatcher case), Lord Griffiths noted that duty rests on the ‘the public interest in upholding the right to confidence, which is based on the moral principles of loyalty and fair dealing’, while Lord Goff stated that ‘the basis of the law’s protection of confidence is that there is a public interest that confidences should be preserved and protected by the law’. 26

The modern formulation of the elements necessary to establish a cause of action for breach of confidence, as reflected in a now-modified tripartite test, can be traced to the judgment of Justice Robert Megarry in Coco v AN Clark (Engineers) Ltd, 27 wherein he stipulated that:

First, the information itself… must ‘have the necessary quality of confidence about it’. Secondly, that information must have been imparted in circumstances importing an obligation of confidence. Thirdly, there must be an unauthorised use of that information to the detriment of the party communicating it. 28

It may be taken as almost axiomatic that information disclosed in the context of a doctor-patient relationship will have the necessary quality of confidence about it, and is imparted in circumstances importing an obligation of confidence. Indeed, as far back as the 1851 Scottish case of AB v CD, 29 it was stated:

… that a medical man, consulted in a matter of delicacy, of which the disclosure may be most injurious to the feelings, and possibly, the pecuniary interests of the party consulting, can gratuitously and unnecessarily make it the subject of public communication, without incurring any imputation beyond what is called a broach of honour, and without the liability to a claim of redress in a court of law, is a proposition to which, when thus broadly laid down, I think the Court will hardly give their countenance. 30

It is well-known (and thus no more need be said about it) that doctors have a moral and legal duty not to disclose information about their patients to others unless there is a stronger countering duty. What is more important for the purposes of this article is the recognition that the duty arises in other situations within the medico-scientific context. As Richards and Solove note, the English law of confidentiality ‘is much more open-ended in the relationships it protects’; 31 the court in Stephens v Avery affirmed that ‘the relationship between the parties is not the determining factor. It is the acceptance of the information on the basis that it will be kept secret that affects the conscience of the recipient of the information’. 32

Regarding the first two elements of the test, then, though there is little written on the subject from a legal perspective, a duty of confidence also may be seen to arise between a research participant and a researcher, as well as with a data custodian who holds information for safeguarding and for research-related and other purposes. In these scenarios, information having the necessary quality of confidence may be obtained in the course of a research project, such as health information obtained from a survey, longitudinal study, or observational study. This confidentiality obligation is commonly evidenced explicitly, rather than impliedly, in participant information sheets, 33 where researchers commit to treat the information provided by the participant to them as confidential, and seek to anonymize and otherwise not disclose the information without the prior consent of the participant, or unless there is another lawful basis for doing so. Likewise, data custodians commit to holding identifiable information in confidence through a variety of safeguards. 34 While we should be encouraged to see the duty in its entirety, beyond the ‘traditional’ relationships such as doctor-patient, we should also be mindful that the nature of the duty and its exceptions may differ as between, for example, the therapeutic (clinical) context where use of the information may have more direct benefit for the individual and the non-therapeutic research context, where use of the information may have more indirect benefit for the individual and instead carries social value for the wider community. I return to this consideration later in the article.

The last element to establish a claim for breach of confidence, concerning unauthorized use of that information to the detriment of the party communicating it, is necessarily dependent on the scope of the duty owed in the particular circumstance. As Simon Brown LJ opined in the case of Source Informatics, the test is whether a reasonable person’s conscience would be troubled by the proposed use of the relevant information. 35 Does this mean that the misuse, actual or threatened, must be detrimental to establish a breach of confidentiality? In the case of private confidences, such as that between a doctor and patient or between a research participant and the researcher, we may safely assume that a confider likely will retain an interest in the information being kept confidential and not further disclosed to others, regardless of whether disclosure would be positively harmful to them, for reasons which may be perfectly understandable. In the medico-scientific context, it has long been recognized that health information is among the most sensitive of personal information and any use and disclosure of that information that is not authorized by the confider is reasonably likely to be detrimental to the confider (be it a concern of harm to autonomy interests, dignity, moral distress, or pecuniary damage). 36 In any event, this third element has been modified in more recent jurisprudence, pulling away from the need to establish detriment, such that it must be satisfied that the confidential information has been misused or is threatened to be misused. 37 Misuse can arise when a person merely accesses and acquires confidential information, such as intentionally looking at a patient’s medical notes, even if there is no disclosure per se from the doctor to the snooping person. 38

Thus, we may assume that in the medico-scientific context, including both therapeutic (eg, doctor-patient) and non-therapeutic (eg, researcher-participant) contexts, a duty of confidentiality is prima facie established and owed by the confidant to the patient-participant confider in relation to the information 39 that is disclosed by them, and, in the absence of any authorization by them to disclose or otherwise use that information, a prima facie cause of action for breach of confidence will be established. Again, however, the nature of the duty and its exceptions may have nuances of difference between the therapeutic and non-therapeutic contexts, and we thus ought to be attuned to the potential for these differences to lead to different outcomes when it comes to assessing how the duty is operationalized—and the circumstances in which it may be lifted lawfully.

Indeed, as has already been hinted at above, it is well-established that the duty of confidentiality is not absolute. In addition to a defendant-confidant countering each of the three elements to establish the cause, several limits, defenses, or bases (I use these terms interchangeably) are available that justify the lawful disclosure of confidential information. These include: (i) disclosure that is required or authorized by statute; (ii) consent by the confider to the disclosure (with the consent being either explicit or implied, general or specific); (iii) the inherent jurisdiction of the court (eg, the power of a court to order discovery); (iv) privilege (eg, Parliamentary or judicial proceedings); (v) evidence that the confidant was already in prior possession of the information before disclosed to them by the confider, or subsequently acquired the information by independent (and lawful) means; and, most importantly for the purposes of this article, (vi) the existence of an overriding public interest basis for the disclosure such that the balance weighs in favor of disclosure. 40

Regarding this last basis, we have seen already that confidentiality law itself is seen as being grounded in a public interest that confidences should be preserved and protected by the law. In the health context, English courts have recognized that ‘[t]here is a strong public interest in respecting medical confidentiality which extends beyond the privacy of the individual patient’, 41 and have quoted favorably the European Court of Human Rights case Z v Finland, in which the Court held that:

Respecting confidentiality of health data is a vital principle in the legal systems of all the Contracting Parties to the Convention. It is crucial not only to respect the sense of privacy of a patient but also to preserve his or her confidence in the medical profession and in the health services in general. Without such protection, those in need of medical assistance may be deterred from revealing such information of a personal and intimate nature as may be necessary in order to receive appropriate treatment and, even, from seeking such assistance, thereby endangering their own health and, in the case of transmissible diseases, that of the community. 42

Yet, in certain circumstances, confidentiality may be overridden where there are sufficient countervailing public interests favoring disclosure. What are these circumstances? I begin to chart this below. As will be seen, the circumstances are neither finite nor foreclosed; one doctrinal text on confidentiality law has commented, ‘[t]he scope in English law of what has come to be referred to as the “public interest defence” has broadened over time.’ 43 The question this article asks is: if the scope of the public interest has broadened over time, just how broad has the scope become such that a confidant may lawfully share confidential information—even in the absence of consent? I turn to this question in Section III as means to then draw out the argument that the human right to science can help support the legal basis for disclosure, albeit in limited circumstances.

III. THE PUBLIC INTEREST AS A BASIS TO PERMIT A LAWFUL BREACH OF CONFIDENTIALITY

In Section 3, I briefly cover the available bases to lawfully share confidential information, focusing on the public interest basis and demonstrate how the categories that may fall within this basis are broader than we may think and that much of existing jurisprudence has indicated to date. While much ink has been spilled on the concept of the public interest 44 and how it might be established as a meaningful construct, 45 relatively little has focused on its application to confidentiality law. This is a normative gap that ought to be addressed. As Feintuck warns: ‘Though the very phrase “the public interest” has an air of democratic propriety, the absence of any identifiable normative content renders the concept insubstantial, and hopelessly vulnerable to annexation or colonization by those who exercise power in society.’ 46 I take up the view that the public interest may be seen as ‘any action which is conducive to the fulfilment of goals which the public wants for itself as a whole’ 47 and further find value in Taylor and Whitton’s expression that proper invocation of the public interest (in the data protection law context) requires ‘respect for persons as free and equal members of society’ and ‘requires that the adoption of any trade-off between common interests is justified in terms that are both accessible and acceptable to them’. 48 This puts us on more solid conceptual footing and has a good deal of resonance in the confidentiality law context, too, and as such will be further explored in a later section charting the circumstances in which the public interest legal basis may have purchase. I begin with tracing the evolution of the public interest basis in confidentiality before turning to its particular application in the research context.

III.A. The Evolution of the Public Interest Basis

The origins of the public interest basis lie in what has been called the defense of iniquity. As Sir William Page-Wood VC observed in the 1856 case of Gartside v Outram, 49 there can be ‘no confidence as to the disclosure of iniquity’, in this case being the disclosure of falsified sales notes to deceive customers. In other words, when the information concerns a risk of serious public harm, the information would be regarded both at common law and in equity as lacking the necessary attribute of confidence to forbid such disclosure. The facts of a case would justify disclosure because the confider has behaved disgracefully or criminally such that it would be in the public interest that their behavior, or at least the underlying information, should be exposed. Well through the 1980s, jurisprudence reflected a narrow interpretation of public interest disclosure along the lines of crime, national security, and iniquity. As a 1984 Scottish Law Commission report on confidentiality law summarized:

It would be fair to say, by way of summary, that the English courts have been reluctant to concede that there is a public interest in breaching confidence—except where the information relates to crime or national security or to some form of misconduct—and, with very rare exceptions, have been reluctant to permit disclosure otherwise than to a public official such as a police officer. A right to disclose on the part of the press is scarcely recognised. 50

In the past few decades, however, the defense (or basis) has been broadened to account not only for cases of serious misdeeds, but also cases where, inter alia, there is danger of serious harm. 51 Again, to quote from the Scottish Law Commission:

…the public interest defence should not, in our view, be confined to what may be regarded as ‘iniquity’ or ‘misconduct’, nor should there be pre-determined constraints on the range of persons to or by whom information may, in suitable circumstances, be disclosed, despite the existence of an obligation of confidence. […] This is not to say that disclosure is appropriate in every case. All we are saying here is that a defender must not be precluded from arguing that such disclosure whether to a public official or otherwise is justifiable in the particular circumstances of the case. 52

More recent jurisprudence reflects a principle that confidentiality law permits the duty to be overridden on a case-by-case basis. It explicitly sets a high bar for this, however, because of the importance of considering not just the harms that may be mitigated in a particular case by disclosure of confidential information balanced against harm to the individual’s trust and engagement, but also because of the fundamental importance of protecting public confidence in infrastructures and wider systems, such as the healthcare system and health research system. Indeed, the bar has been so high that the public interest basis has been formulated as a ‘requirement’, as per Lord Goff’s encapsulation in the Spycatcher case:

… although the basis of the law’s protection of confidence is that there is a public interest that confidences should be preserved and protected by the law, nevertheless that public interest may be outweighed by some other countervailing public interest which favours disclosure. This limitation may apply […] to all types of confidential information. It is this limiting principle which may require a court to carry out a balancing operation, weighing the public interest in maintaining confidence against a countervailing public interest favouring disclosure.

Embraced within this limiting principle is, of course, the so called defence of iniquity. In origin, this principle was narrowly stated, on the basis that a man cannot be made ‘the confidant of a crime or a fraud’ … But it is now clear that the principle extends to matters of which disclosure is required in the public interest … . 53

As commentators have noted, the limiting principle of only such form of disclosure as the public interest requires is:

… consistent with the underlying notion of confidentiality as an obligation of conscience in recognising that there may be circumstances in which a conscientious recipient of confidential information would reasonably consider it right as a responsible citizen to make some form of disclosure of the information. 54

In such cases, it may be said that no obligation of confidence exists in contract, equity, or other jurisdictional basis insofar as the subject matter concerns a risk of serious public harm (including but not limited to cases of ‘iniquity’).

We might also consider there to be a useful distinction between a disclosure which may not ‘trouble the conscience’ of the confidant (as per Source Informatics, 55 discussed below)—such as the disclosure only of anonymized information—and the disclosure of information in circumstances where a conscientious recipient would consider it right as a responsible citizen to disclose (ie, the distinction between disclosure being permitted and it being required as a matter of conscience). Further, we might query what would trouble the conscience of the conscientious data custodian (rather than, say, the conscientious doctor). Might reasonable considerations of benefits from science, and the right to science, also factor into the data custodian’s conscience? And if so, should that matter? What if they themselves are a scientist? Should a conscience test apply in determining whether there is a breach of confidence if, as we might surmise, most scientists will think that their research projects are (invariably) a good thing and thus sharing confidential information to further them may well not trouble their conscience? I continue to unpack this exploratory thread below.

Before doing so, however, it is necessary to chart the extant, general categories to which this public interest basis for use or disclosure has purchase. These include (i) risk of serious harm to others and serious crime; (ii) national security; (iii) the administration of justice; and (iv) a matter of comparable public importance such that it may fairly be regarded as necessary in the public interest that a person possessing such information should be free to disclose it to an appropriate third party, whether or not the matter involves individual wrongdoing (by the claimant or anyone else). 56 In this article, I focus on the first category, although the fourth category also may be of some relevance to the analysis with respect to the broadness of a matter ‘of comparable public importance’.

III.B. Risk of Serious Harm to Others and Risk of Serious Crime

As noted above, the bar has been set high for a countervailing public interest which favors disclosure, and in the medico-scientific context, this has been interpreted as preventing risk of serious harm to others (both physical and psychological) and preventing or detecting serious crime. Two principal sources evidence this claim: case law and professional regulatory guidance, the latter of which holds considerable persuasive force in medical jurisprudence. Both suggest that public interest, at least to date, has been interpreted as permitting disclosure of confidential information if the benefits to an individual or society outweigh both the public and the participant-patient’s private interest in keeping the information confidential—but in specific instances involving some sort of risk of serious harm.

The key case in this area is W v Egdell. 57 The plaintiff, W, shot and killed five people and injured two others. He pleaded guilty to manslaughter on the ground of diminished responsibility and was ordered to be detained in a secure hospital on the grounds of him suffering from paranoid schizophrenia. At the time of the action for breach of confidence, W was compulsorily detained in a secure hospital but was being considered for transfer to a regional secure unit, as a step toward eventual release back into the community. When a recommendation for transfer was refused, W took steps to apply to a mental health review tribunal for conditional discharge. To that end, his solicitors instructed Dr Egdell, a consultant psychiatrist, to report on W’s mental state. His report conflicted substantially with that of W’s own medical advisers and he recommended further investigation of this conflict in opinion. Further, he recommended that attention should be given to other information, including W’s confession that he had a continuing and long-standing interest in explosives, which apparently had not been noted in other reports. W subsequently withdrew his application and his solicitors refused to forward Dr Egdell’s report to those responsible for his care and for any future recommendations as to his transfer to a less secure facility or discharge. Dr Egdell nonetheless sent a copy of his report to the assistant medical director at the hospital and also pressed for a copy to be sent to the Home Office to be considered by those responsible for reviewing W’s case. W brought an action against the defendant alleging breach of confidence.

The Court of Appeal held that in carrying out a balancing operation, weighing the public interest in maintaining confidence against a countervailing public interest favoring disclosure, each court must reach its own decision on the balance. However, in doing so, it is legitimate for the court to give ‘such weight to the considered judgment of a professional [person] as seems in all the circumstances to be appropriate’, 58 in this particular case, Dr Egdell. On the facts, that balance ‘clearly lay in the restricted disclosure of vital information to the director of the hospital and to the Secretary of State who had the onerous duty of safeguarding public safety’. 59 In both this case and an earlier case of X v Y, 60 the courts paid great heed to the advice provided by the professional regulator (the General Medical Council, or GMC) contained in its ethical guidance to doctors, 61 but the balance ultimately remains one for the courts and not for professional bodies or the government to decide.

In the more recent case of ABC v St George’s Healthcare NHS Trust, 62 the High Court ruled that in considering whether the interests of public health or safety should permit a doctor to disclose information given in circumstances importing an obligation of confidentiality (in this case, information concerning the possibility of the patient’s daughter having Huntingdon’s disease), a doctor may owe a third person who is in a close proximal relationship with the patient a duty of care to balance their interest in being informed of their genetic risk against the patient’s interest and the public interest in maintaining confidentiality. The scope of that duty extends to conducting a balancing exercise between the interests of the patient and the at-risk third person, and to acting in accordance with its outcome. Some legal commentators have stated that ‘it is for the court to rule on the legal criteria which govern the question whether and in what circumstances public interest may justify disclosure. Within those criteria, a person should not be held to have acted unconscionably if their decision was reasonable’, 63 although in the health context, significant deference is likely to be given by a court to the health professional and what their professional regulatory guidance advises about balancing interests in disclosure and maintaining confidentiality.

Regarding this second source of evidence (viz. regulatory guidance), Snelling and Quick demonstrate how the professional regulatory guidance for healthcare professionals, with respect to confidentiality and public interest disclosures, varies widely. 64 They used three sources of benchmarking guidance on the issue of confidentiality: (i) the Department of Health’s NHS Code of Practice on confidentiality, 65 (ii) its supplementary guidance on public interest disclosures, 66 and (iii) the GMC guidance on confidentiality. 67 From a close reading of these three sources, Snelling and Quick developed a framework of five questions as they concern public interest disclosure and areas of practical importance for health professionals: (i) Is public interest explained? (ii) Is the nature and level of harm to be avoided explained? (iii) Is intended beneficiary of disclosure explained? (iv) Is disclosure to prevent or detect serious crime explained? and (v) Is safeguarding explained?

Across the nine regulators examined, 68 Snelling and Quick found that ‘…the quality of some health professional regulatory guidance is poor’ 69 and inconsistency reigns. Even though the guidance suggests that a common denominator for the justification for public interest disclosure is the avoidance of harm (both physical and psychological), its boundaries are porous. Some guidance, they note, fails to include the qualifier ‘serious’, which in their view sets the threshold for disclosure too low. Thus, it may not necessarily be the case, for example, that only ‘serious’ crimes such as murder, manslaughter, sexual assault, domestic violence, sexual abuse or neglect of children, and so on may meet the threshold; it also may be that less serious crimes such as theft or criminal trespass also are considered to justify disclosure in some of the health professions.

To take just their first question (viz. is public interest explained?) into deeper consideration, Snelling and Quick explore the GMC guidance’s explanation of public interest, as well as the Department of Health’s NHS Code of Practice on confidentiality, which defines the public interest as:

Exceptional circumstances that justify overruling the right of an individual to confidentiality in order to serve a broader societal interest. Decisions about the public interest are complex and must take account of both the potential harm that disclosure may cause and the interest of society in the continued provision of confidential health services. 70

These two considerations—account of harm that disclosure may cause in the immediate sense and for the parties concerned, as well as the broader, more abstract impact that disclosure may cause on the continued provision of confidential health services—indicate to Snelling and Quick that regulators’ guidance explains public interest ‘fully’ only if it includes consideration of the additional benefit of maintaining confidential practice; in other words, the weighing must involve a balancing of public interests between disclosure and the maintenance of confidentiality. They note that evaluating where the public interest lies involves much more than weighing consequences in a specific case; additional weighting is required to account for the public interest in maintaining a confidential health service. This does not exactly address what public interest is and the robustness of its explanation, but it does go some way to teasing out how it is explained across the regulators’ guidance. And to that end, they find that only the GMC and General Chiropractic Council ‘fully’ explain the public interest in their guidance. The Nursing and Midwifery Council and Social Work England do not explain it at all in their guidance, and the five other regulators only ‘partially’ explain it, which as Snelling and Quick inform us, means the guidance has some discussion of the public interest, but does not mention the public interest in maintaining confidential health services in a general sense, in addition to the effects it might have on a specific patient.

The broader finding of inconsistency in regulatory guidance is bound to confound healthcare professionals and drive further uncertainty and confusion, and could well leave them to second-guess a regulator or the courts. Undoubtedly, this is troubling for professionals and the public alike because no one really knows where they stand until decisions are tested. This includes the key question for this article: is the scope of public interest in the medico-scientific context necessarily limited to preventing risk of serious harm to others and preventing or detecting serious crime?

What the above analysis indicates is that neither law nor guidance sufficiently pins down the public interest relative to how it impacts on the associated duty of confidence. Is this opportunity for expansion or grounds for caution? In law, we see an enduring trope of the public interest in upholding confidences as balanced against the public interest in disclosing confidential information. How does the public interest in upholding confidences sit alongside a public interest in science and a claim to a human right thereto? We know that a public interest in pushing for science cannot be treated as equivalent to a right to science, and any right would imply corresponding duties. So, how might we reconcile duties of confidence with duties to pursue science and reap its benefits? It may be time to revisit the trope of public interest versus public interest and consider a new framing of the values, rights, interests, and duties at stake. I begin to explore this in the following subsection.

III.C. From Risk of Serious Harm to Promotion of Health?

To summarize the above discussion, the law will permit (restricted) disclosure of confidential information on a case-by-case basis where there are sufficient countervailing public interests favoring disclosure. In the medico-scientific context, the common law principles—and to some extent professional regulatory guidance—indicate that a prima facie case for disclosure will arise when the confidant reasonably assesses there to be a real risk of consequent danger to the public were the information not to be disclosed, and regardless of the confider’s consent or refusal for the information to be disclosed. Commentators have suggested that the risk of harm must be ‘real’ and not fanciful, and it must be a risk involving danger of physical or psychological harm. 71 Moreover, the harm must be ‘serious’—minor harm (eg, the risk of passing a treatable or curable infection to one’s spouse) would not justify an override of both the specific disclosure and the general public interest in maintaining trust that confidants (be they health professionals or otherwise) will not disclose confidential information.

But must the scope of public interest be limited to only those situations? And in the case-by-case assessment, might we not question what counts as ‘harm’ in the specific context, including non-production of new medicines, health insights, vaccines, treatments, and health opportunities—what might be seen as harms by omission? Jurisprudence, academic commentary, legislation, regulatory guidance, and public opinion would suggest a broader scope than appears at first instance, and we ought to take heed from Lord Hailsham’s statement in D v National Society for the Protection of Children that ‘[t]he categories of public interest are never closed and must alter from time to time whether by restriction of extension as social conditions and social legislation develop.’ 72 We ought also, though, take heed from Simon Brown’s LJ recognition in R v Department of Health Ex p. Source Informatics Ltd of

… the importance of confining any public interest defence in this area of the law within strict limits—lest, as Gummow J put it at first instance in Smith Kline and French Laboratories (Australia) Limited v Department of Community Services and Health [1990] FSR 617, 663; it becomes ‘not so much a rule of law as an invitation to judicial idiosyncrasy by deciding each case on an ad hoc basis as to whether, on the facts overall, it is better to respect or to override the obligation of confidence’. 73

Navigating the path between the flexibility of the common law to account for evolution of the public interest and the importance of curtailing judicial idiosyncrasy (without becoming speculative as to how each judge or court may operate) becomes the core challenge this section of the article tackles. I now to proceed to explore how the public interest has been interpreted in case law, academic commentary, legislation, regulatory guidance, and public opinion. What we begin to see is an openness to the idea that the public interest can cover a common interest concerning the promotion of collective welfare more broadly defined than previously considered.

III.C.1. Jurisprudence

Two medico-scientific cases are on point to suggest that the scope of public interest may stretch beyond cases of serious harm to others or serious crime. First, the case of Lewis v Secretary of State for Health 74 considered whether certain documents relating to deceased patients, including their medical records, could be disclosed to a confidential inquiry co-sponsored by UK Government ministers looking into whether tissues removed from individuals who had worked in the nuclear industry had been lawfully removed and analyzed. The inquiry had not been set up under the Inquiries Act 2005 and, accordingly, had no statutory power to order disclosure of documents or to compel any person to provide it with documents. Under its general powers, the High Court authorized the disclosure and grounded this in a public interest basis. Foskett J held that:

…this is an appropriate case in which to hold that the public interest in disclosure of the material sought outweighs the other public interest, namely, that of maintaining the confidentiality of medical records and information, provided, of course, proper safeguards are put in place to ensure that no inappropriate information becomes public. 75

The principal reason for this conclusion was:

…that there is plainly a public interest (and by that I mean not just ‘the interest of the public’) in determining what happened and why in connection with the very difficult and sensitive issue that arise from these matters. Those families that know broadly what happened are entitled to fuller answers to the questions raised if they wish to have them and there is a wider public interest in maintaining confidence in the NHS and the nuclear industry, a confidence that may be fortified either by the results of the investigation of The Inquiry or by the recommendations of The Inquiry if past practices are found to have been wanting and improvements are suggested. 76

This would suggest the common law recognizes that disclosure of confidential information may be grounded in a public interest basis beyond preventing risk of harm to others and preventing or detecting serious crime; in this case, there was a public interest in determining whether tissues removed from individuals who had worked in the nuclear industry had been lawfully removed and analyzed, and at a larger scale, in helping contribute to a better understanding of how the workers died and which in turn could lead to improved confidence in both the health service and nuclear industry.

Importantly for the purposes of this article regarding the distinction between use of ‘confidential patient information’ for a ‘medical purpose’ (and use of section 251 support as the legal basis) and other kinds of confidential information that do not involve section 251, yet may nevertheless be of value in scientific research, Foskett J also held that while the information contained in the medical records was ‘confidential patient information’ within the meaning of section 251 of the National Health Service Act 2006, 77 the purpose was not a ‘medical purpose’ within the meaning of the Health Service (Control of Patient Information) Regulations 2002 (‘the COPI Regulations’), in this case purposes of ‘the management of health care services’ in the sense that it would be subject to ‘audit, monitoring and analysis of patient care and treatment’ as per paragraph 5 of the Schedule to the COPI Regulations. This meant that the COPI Regulations and section 251 could not serve as a statutory gateway to lawfully disclose the confidential information. In the words of Foskett J:

It would, in my judgment, be wholly artificial and, perhaps, to some at least, an affront, to suggest that care for a patient ends at the moment of death; but equally it does have to be acknowledged that active care and treatment in the normally accepted sense of the expression does come to an end at that point. The answer of most people to the question ‘do you regard the removal of tissues from a deceased person for the purposes of analysis is part of the care and treatment of the patient?’ would surely be ‘no’. If that is so and it reflects the correct legal interpretation of the expression, the information obtained from this procedure – whether it be audited, monitored or analysed or a combination of all three – would not be being processed for a ‘medical purpose’ prescribed by the Regulations. 78

Even if that were not the case, Foskett J continued, it could not be said that the inquiry itself, on proper analysis, was engaged in the ‘audit, monitoring and analysing of the provision made by the health service’ for the post-mortem analysis of tissues taken in the circumstances involved in the case:

… it does strain the normal meaning of the word ‘audit’ to embrace what The Inquiry will be setting out to do and, whilst I accept that The Inquiry is called upon to make recommendations, its principal focus is to discover what happened and why so that those affected, directly or indirectly, will have some explanation. 79

He thus concluded that ‘endeavouring to bring the purposes of The Inquiry within the language of regulations drafted for a different purpose is a little difficult and does, in my view, involve a step too far.’ 80

Second, in the case of R v Department of Health Ex p. Source Informatics Ltd, 81 the Court of Appeal considered an appeal against a declaration that the release of certain prescription information 82 by pharmacists to pharmaceutical companies constituted a breach of confidence despite the protection of patients’ anonymity. Source Informatics contended that (i) information was only confidential to the patient if it could be identified with them and, in the circumstances, it could not; (ii) transfer of the material from one party to another was not misuse of it; and (iii) patients had not suffered any detriment. The Court of Appeal ruled that there was no breach of confidentiality as anonymity was protected. As obiter dicta, Simon Brown LJ also commented that confidential patient information used for the purposes of ‘thorough research and management’ could be acceptable:

For present purposes, I say no more than that, provided, as I understand to be the case, the use of such identifiable data is very strictly controlled, there appears no reason to doubt that this is acceptable—whether because it falls within the public interest defence or as is perhaps the preferable view, because the scope of the duty of confidentiality is circumscribed to accommodate it, it is not necessary to decide on this appeal. 83

The qualifier ‘thorough’ research would suggest some degree of judicial openness to accepting restricted disclosure of confidential information, but the scope may well be limited to particular kinds of research (eg, public health emergency research) and under a number of strict conditions. I return to this additional consideration as well below.

III.C.2. Academic Commentary

Academic commentary would also suggest that the scope of public interest may stretch beyond cases of serious harm to others or serious crime. I have noted above that Phipps and colleagues observe that the public interest has broadened over time. 84 Additionally, in their article, Snelling and Quick observe that ‘[t]he broad concept of public interest has been applied in three situations: (1) preventing serious harm to others, (2) preventing or detecting serious crime, or (3) enabling effective public health research’, yet they do not elaborate on the nature of this third situation, although (as elaborated below) the recent COPI Notices arguably serve as an example of this. Snelling and Quick do, however, reference an earlier article from Case, who in turn argues that the conceptualization of public interest in the common law—at least in England 85 —is not broad enough to accommodate health research. In her view, it appears to require an immediate risk of serious harm, at least based on case law developed through the early 2000s—which explains why it has instead been accommodated through statutory provisions that permit disclosure of ‘confidential patient information’ without consent for ‘medical purposes’, including medical research. 86 It is to this important piece of legislation that I now turn.

III.C.3. Legislation

Specifically, the COPI Regulations were made by the Secretary of State using the powers conferred by section 60 of the Health and Social Care Act 2001. This section was repealed by the NHS (Consequential Provisions) Act 2006 and its statutory successor is section 251 of the National Health Service Act 2006. As the Health Research Authority (HRA) 87 website states:

Section 251 was established as it was recognised that there were essential activities of the NHS, and important medical research, that required the use of confidential patient information where it was not possible to use anonymised information and obtaining consent was not practical. 88

As Sorbie has observed, this legislation sought to address confusion around when it was acceptable for researchers to share confidential patient information in the public interest. 89 Far from being a temporary solution as envisioned when first enacted, this statutory pathway for use of patient-identifiable information has endured for over 20 years, with no indication of it losing legislative or stakeholder support. 90 This lends weight to Case’s argument that the conceptualization of public interest in common law was not seen as capacious enough to accommodate health research, and because consent or re-consent of patients was not seen as practicable for many forms of research, firm statutory footing was needed to enable confidential patient information sharing to cover situations beyond those concerning risk of serious harm to others or helping to prevent or detect serious crime. However, the scope covered by the statutory gateway is limited, even in scientific (or medical) research contexts, as will be seen.

The relevant subsections of section 251 of the NHS Act 2006 provide as follows (emphasis added):

Control of patient information

(1) The Secretary of State may by Regulations make such provision for and in connection with requiring or regulating the processing of prescribed patient information for medical purposes as he considers necessary or expedient—

(12) In this section ‘medical purposes’ means the purposes of any of —

Under the Act, ‘patient information’ is defined broadly as:

And patient information is ‘confidential patient information’ where: