HIV-positive individuals who had their confidential data leaked due to the actions of a Ministry of Health (MOH) staff member have the option to sue MOH but proving that they have suffered significant damage would be hard, according to lawyers interviewed by Yahoo News Singapore.
If these individuals were among the 14,200 people in MOH’s HIV Registry whose data had been compromised, they can also take the two persons at the heart of the leak to court, the lawyers said.
“If Ler has breached his duty of confidence whilst in the employ of the Ministry of Health, the ministry would be vicariously liable,” said lawyer George Hwang.
He was referring to Dr Ler Teck Siang, who was the head of the MOH’s National Public Health Unit, where he had access to details of the data that was leaked.
Ler downloaded the information onto a thumb drive and it ended up in the hands of his lover, Mikhy Farrera Brochez, who leaked it online after being deported from Singapore over fraud and drug-related offences in April last year.
On Monday (28 January), MOH announced that the compromised data included personal information such as contact details and medical information of the affected individuals.
Ler, who resigned from MOH in January 2014, was sentenced to 24 months’ jail in September last year for abetting Brochez in cheating and providing false information to the police and MOH. He is currently awaiting the appeal against his conviction and sentence.
He was also charged in June 2016 under the Official Secrets Act (OSA) for “failing to retain possession of a thumb drive” containing data from the HIV registry. His OSA charge has been stood down pending his appeal.
Government can ‘sue or be sued’
Lawyers pointed out that under Section 5 of the Government Proceedings Act (GPA), government agencies and ministries could be held accountable for the illegal actions of their employees if they were performed in the course of their normal duties.
To determine whether MOH could be held accountable, one has to consider whether Ler’s actions were sufficiently within the scope of his employment, said lawyer Genesis Shen.
“If Ler had authorised access to the database as part of his ordinary course of work, his actions would appear to be sufficiently related to his job,” Shen added.
According to the lawyer from Templars Law, MOH’s data-management policies need to be re-examined. He noted, “There’s also a question of why a single doctor had unfettered access to the entire patient database, when he would only require information from one patient at a time.”
Lawyer Hwang pointed out that the Singapore government can sue or be sued under the Constitution.
“It is vicariously liable for any breaches of conduct by its employees by virtue of tort law and the Government Proceedings Act,” said the director of George Hwang LLC.
Breach of confidence
While MOH might be liable, the scope of any civil suit arising from the data leak is limited to the actions of its employee Ler, who would be in breach of his statutory duty if he were found to have leaked the confidential HIV data.
“If Ler had given his access code to the records or data to Brochez, he could have committed an offence under the Computer Misuse Act,” Hwang said.
A HIV-positive person who is considering taking action against MOH or individuals involved in the incident would have to prove a “breach of confidence”, which would require several conditions to be fulfilled.
The person’s leaked information must be proven to be confidential and have been given in confidence, Hwang said. The recipient of the information must be proven to have used the information without authorisation and caused damage to the person, he added.
Similarly, if Brochez is a third-party recipient of information with knowledge that it is confidential, he has the same duty as Ler not to publish the information.
“However, he is no longer in Singapore. He published the information in the USA. It will be easier to bring an action against him in the USA,” Hwang noted.
When asked if MOH could be taken to court on grounds of negligence, the lawyer said it is a possibility. The key test is proving whether MOH has “exercised due care” in handling confidential data before 2016.
He was referring to MOH’s statement on Monday that since 2016, it introduced additional safeguards against mishandling of information by authorised staff.
Hwang said the question to ask is whether the measures were introduced in a timely manner and benchmarked against the best practices in other countries.
Proving damages is hard
But the HIV-positive individuals who are considering legal action against MOH or related individuals involved in the data leak would have to realise that the hurdles – while not insurmountable – are daunting.
Lawyer Josephus Tan from Invictus Law pointed out that the plaintiffs would need to quantify the damages caused or loss suffered as a result of the leak.
They may also have to cope with significant legal costs and the intense media glare, Tan said. Moreover, initiating a suit against Brochez would be contingent on whether his extradition back to Singapore is successful, he added.
The affected individuals would have to prove, for instance, financial loss, psychological harm or mental distress to get damages, said John Koh from Populus Law. But intangible loss, such as loss of reputation or mental distress, would be harder to prove as opposed to tangible loss, such as loss of employment, he added.
“Unless the leaked information resulted in some form of loss, I foresee most potential plaintiffs facing the uphill challenge of proving that the leak by itself should result in damages,” Koh said.