By Meghan Knapp, Staff Member

On January 22, HIV-positive residents in Singapore received a phone call from the government telling them that their information had been leaked from a private government database.[1] The massive data breach affected more than 14,000 people, all of whom had been forced to put their information into the national registry of HIV-infected individuals.[2]

It is believed that Mikhy Farrera-Brochez – an American – was behind the leak.[3] Farrera-Brochez had been living in Singapore with his partner – a Singaporean doctor, who had access to the HIV-database.[4] The government realized Farrera-Brochez had gained access to the database in 2016, yet they did not take the necessary steps to protect individuals whose names were listed in the registry.[5] It was only after Farrera-Brochez released the data on the internet that Singapore reacted to the breach.[6]

In the age of big data, the right to privacy is increasingly important, and health data is particularly important.[7] The Special Rapporteur on the Right to Privacy has expressed concern about “non-consensual sharing of health data, particularly HIV status” because of the fear, humiliation, and discrimination a data breach can cause.[8] Singaporeans who had their data leaked face stigma, loss of employment, and difficulties retaining insurance.[9]

The Singapore data breach exemplifies modern issues with privacy regulations. While the government may now be prosecuting Farrera-Brochez for the data breach,[10] post facto prosecution does little to remedy the harm that the data breach victims have suffered. States have a duty to establish, implement, document, and regularly review security measures “to prevent risks such as accidental or unauthorized access to . . . use . . . disclosure of health-related data or personal data, or any other health-related data breach.”[11] These safeguards must protect the rights and fundamental freedoms of the data subject as well as their families, groups, and populations.[12]

Singapore failed to take these measures. They did not take the necessary security precautions to keep the breach from occurring, and, once the breach happened, they did not take the necessary steps to prosecute Farrera-Brochez and resecure the data.[13] Guidelines for improving safeguards and remedies for privacy and health data are expected to come out later this year.[14] In the meantime, states should look to the E.U.’s General Data Protection Regulation data privacy policy as a model of best practice.[15] These guidelines outline the obligation to protect data.[16] Not only does it require data collectors to protect individual’s privacy through system reviews and security mechanism implementation, but it also requires data collectors to inform individuals that their data has been breached immediately after the collector becomes aware of the breach.[17] In the case of Singapore, the government would have had to inform concerned individuals about the data breach in 2016 and take necessary steps to ensure that information could not be used to violate the patients’ rights in the future.

States must recognize the importance of citizens’ right to privacy. The Singapore HIV-database breach provides just one example of how detrimental a data breach can be to individuals’ enjoyment of fundamental rights and freedoms. States and other data controllers must take proactive steps not only to ensure that data is not breached but also to ensure that breached data is not used against citizens. States cannot wait for the data to be made public; they must seek it out when they have a reasonable belief that data has been breached by an individual or group.

[1] Data Breaches Dent Singapore’s Image as a Tech Innovator, N.Y. Times (Jan. 30, 2019).

[2] Sharanjit Leyl, Singapore HIV data leak shakes a vulnerable community, BBC News (Feb. 22, 2019), https://www.bbc.com/news/world-asia-47288219.

[3] HIV-positive status of 14,200 people leaked online, Channel News Asia (Jan. 28, 2019), https://www.channelnewsasia.com/news/singapore/hiv-positive-records-leaked-online-singapore-mikhy-brochez-11175718.

[4] Id.

[5] Leyl, supra note 2.

[6] Aquil Haziq Mahmud, HIV Data Leak: Police Will ‘Spare No Effort’ to Bring Mikhy Farrera Brochez to Justice, Channel News Asia (Feb. 12, 2019), https://www.channelnewsasia.com/news/singapore/hiv-data-leak-police-will-spare-no-effort-to-bring-mikhy-farrera-11232886.

[7] Human Rights Council, Report of the Special Rapporteur on the Right to Privacy, ¶ 112, U.N. Doc. A/HRC/40/63 (Feb. 27, 2019).

[8] Id. at ¶¶ 86, 88.

[9]  Mahmud, supra note 6; Jake Maxwell Watts & P.R. Venkat, HIV Status of more than 14,000 People Leaked in Singapore Data Breach, Wall St. J. (Jan. 28, 2019, 9:34a.m. ET),  https://www.wsj.com/articles/hiv-status-of-more-than-14-000-people-leaked-in-singapore-data-breach-11548679969?mod=searchresults&page=1&pos=3&ns=prod/accounts-wsj; Data Breaches Dent Singapore’s Image as a Tech Innovator, supra note 1.

[10] Mahmud, supra note 6.

[11] Report of the Special Rapporteur on the Right to Privacy, supra note 7,  ¶ 4.1(g).

[12] Id. at ¶ 10.1

[13] HIV-positive status of 14,200 people leaked online, supra note 3.

[14] Report of the Special Rapporteur on the Right to Privacy, supra note 7,  ¶ 119(b).

[15] General Data Protection Regulation, GDPR Info (last accessed on  Mar. 4, 2018),  https://gdpr-info.eu/; see also Clustered ID: SR on Privacy & Cultural Rights – 12th Meeting, 40th Regular Session H. R. Council, UN Web TV (Mar. 1, 2019), http://webtv.un.org/meetings-events/watch/clustered-id-sr-on-privacy-cultural-rights-12th-meeting-40th-regular-session-human-rights-council-/6008879505001/?term=.

[16] General Data Protection Regulation, supra note 15.

[17] Id.