Uber rape case: Leaked medical records reveal gaps in protecting victims of sexual violence

The recent reports of the medical records of a survivor of rape by an Uber driver in 2014 being leaked by law enforcement officials to the Uber CEO Travis Kalanick have raised questions on the right to privacy while highlighting a deep gap in the understanding between the legal and medical spheres on how to protect the victims of sexual violence.

This gap — that exists even though a total of 34,651 rapes were reported in India in 2015, according to the National Crime Records Bureau (NCRB) — needs to be bridged because cases of sexual violence are immensely information intensive, and often, it becomes the duty of the healthcare industry, during these cases, to acquire, process, store, retrieve and transfer critical health information. More so, in the present judicial environment, where rape adjudication has no permissible pattern, and victims are blamed for their plight.

Representational image. PTI

Representational image. PTI

Furthermore, the element of personal health information so easily available makes it inherently more difficult to protect; confidentiality between the doctor and patient might be lost; there may be disclosure and misuse of information, and a possibility of privacy violations.

Besides, privacy violations are against the right to privacy, embodied within the right to life under Article 21 of the Constitution of India, and are both stigmatising and discriminatory.

What's the Uber case about

According to reports, the rape survivor has filed a lawsuit in a California federal court, which names Kalanick as a defendant, and cites numerous media reports where Kalanick and other executives doubted the account of victim’s experience.

The lawsuits states, inter alia – “Uber executives duplicitously and publicly decried the rape, expressing sympathy for plaintiff, and shock and regret at the violent attack, while privately speculating, as outlandish as it is, that she had colluded with a rival company to harm Uber’s business.”

The rape took place in December 2014 in Delhi, and the perpetrator was convicted of rape and the courts sentenced him with life sentence the following year. The survivor, who is an Indian and presently resides in the United States, states that an Uber executive had “met with Delhi Police and intentionally obtained plaintiff's confidential medical records” and alleges that Uber has no established mechanisms for safety.

While this is a classic case of the violation of privacy of a patient, it is not the only one.

In December 2016, media reports said that electronic media reports (EMR) of close to 35,000 patients held by a pathology laboratory in Maharashtra were leaked, which pointed to the inadequate safeguards for the protection of patients’ sensitive information.

Protection of medical records is not absolute

Though a disclosure of public health information is violation of the right to privacy, there are certain situations that may supersede this rule and disclosure may be permissible.  These are situations of public safety (for example: epidemics, disease registration, and the like), when required by law, concept of shared confidentiality with another doctor, and the administration of justice.

Moreover, when there is a conflict between the right to privacy and the utilitarian idea of the greater good, the judiciary, too, leans towards the latter over individual privacy. In the case of Sharda vs Dharmpal (2003), the husband filed for divorce alleging that his wife was mentally ill. To prove her mental incapacity, the husband forced her to go through a medical examination, while the wife claimed that this act was a violation of her right to privacy. The court, shockingly, claimed that the right to privacy is not absolute and the absence of this data (records of medical examination) would make it difficult to adjudicate on the matter.

However, the case of Uber is not an instance where there is a dichotomy between the individual’s right to privacy and the society’s obligation to provide for greater good. And therefore, the Informational Technology Act (IT Act), 2000 comes in. This legislation provides for a legal framework for electronic governance by giving recognition to electronic records. Section 43 (a) and Section 72 of the IT Act create a broad framework for the safe-keeping and protection of personal information in India.

Section 43(a) is a provision that by and large lays down rules of compliance for ‘body corporates’ that gather, store and deal with sensitive, personal information like health conditions, medical and biometric records, financial information, and information on sexual orientation, and requires such establishments to take reasonable measures to safeguard all sensitive personal data.

Section 72 provides for protection of personal information from an unlawful disclosure in a breach of contract. The Sensitive Personal Information Rules by the Ministry of Communications and Information Technology states that all body corporate must provide a policy for privacy, reasonable security procedures and disclosure of information (Rule 4). Moreover, Rule 6 states that:

“[D]isclosure of sensitive personal data or information by body corporate to any third party shall require prior permission from the provider of such information, who has provided such information under lawful contract. […] or “where the disclosure is necessary for compliance of a legal obligation […].”

The catch, here, of course is that the complying institution in such cases has to be a ‘body corporate’ only. A body corporate under the act is defined as “a firm sole proprietorship or other association of individuals engaged in commercial or professional activities".

The government or government employees don’t come under the ambit of body corporate, and reports have suggested that the Uber rape survivor’s medical records were leaked by law enforcement officials to Uber.

Even criminal laws relating to rape don’t give clear answers to bridge the legal and medical paradigms when it comes to protecting victims. Section 228A of the Indian Penal Code, 1860 puts forth provisions prohibiting the disclosure of identity of a victim in certain offences; this provision talks about the printing or publishing of the name or “any matter which may make known the identity of any person” who has been violated by, inter alia, rape, gang rape, rape leading to death or a permanent vegetative state. The only exceptions to this rule is the victim provides an authorisation of this in writing, by next of kin of the victim if victim is dead, or minor or of unsound mind, and under the order in writing by officer-in-charge of the police station or the investigation officer “acting in good faith for the purposes of such investigation”.

Can the breach of privacy by Uber be subsumed under the exception of section 228A? I think not. This is a larger issue of breach of privacy where sensitive personal health information has been revealed in the absence of a legal framework that makes an active effort to protect health records of victims. At this point, the medical and legal sectors don’t see eye to eye on a very significant topic at hand, and this can wreck havoc for our right to privacy in health!


Published Date: Jun 18, 2017 06:47 pm | Updated Date: Jun 18, 2017 06:50 pm


Also See