While the talk of town has been about the day to day life and inquiry into Colombo’s version of ‘Bonnie’ – Sewwandi; a recently repatriated organised crime suspect, sensationalised by the Ministry of Public Security, and the ‘leaps’ which the Government wants to achieve in digitalisation of the public sector and the economy, one can be forgiven for missing out on real issues that impact Sri Lankans at a personal level.
The social media platform ‘X’, previously known as Twitter, was a buzz yesterday (20) with a statement issued by a well-known netizen and entrepreneur who had named a prominent private hospital in Colombo for allegedly breaching the privacy of a patient – his daughter, who was hospitalised at the institution last week. He alleged that the private hospital had leaked details of his daughter’s treatment to an insurance company, which had then contacted him to inquire how he plans to make payments to the hospital. “…this is a complete breach of privacy!” he tweeted.
The allegation is serious and should be one every Sri Lankan and the State should take note of. If the allegations are true, to call such an act a breach of ethics, trust, and the law – would be an understatement. How can we trust a medical service provider who behaves in this manner? The question must be asked, do medical institutions, private or otherwise ‘sell’ our data to others? Sri Lanka has had a few instances recently when the ethics of medical officials and institutions have been questioned, especially following the release of medical and treatment information about patients. However, little, if at all any action (at least in the public domain) has been taken to remedy this issue.
Such issues highlight significant shortcomings in Sri Lanka’s envisaged digitalisation drive. While policy directives and grand strategies may be trumpeted by governments, the regulatory side of the change is lagging behind. This leaves Sri Lankans vulnerable to exploitation and even malicious attacks. The details of a patient should not have been shared by a hospital – Private or Public, with an insurance provider without the expressed permission of the patient or guardian. If they do, the patient should be able to hold the Hospital and the insurance company responsible for such a breach and the use of his or her private information.
The present Government and the previous one have been dragging their feet with the implementation of the Personal Data Protection Act (PDPA). According to its own State website, the operationalisation of the PDPA was to be completed by 18 March. “The Part V of the Data Protection Act was brought into operation in July 2023, which enabled the President to appoint the Chairman and the Board of Directors of the Data Protection Authority (DPA). The appointments were made and subsequently announced in October 2023. The DPA serves as the Regulator for safeguarding rights of citizens related to processing of personal data by the State and private sector parties. The PDPA is also expected to be a facilitator for growth and innovation in the digital economy, as stated in its preamble of the PDPA. As per the latest gazette notification, the PDPA will be fully operational and enforced, commencing 18 March 2025. Part IV of the Act, which deals with the provisions of the ‘use of personal data to disseminate solicited messages’ will be brought into operation at a subsequent date as provided for in the Act, which is not earlier than twenty-four months and not later than forty eight months from the date the Act was certified by the Speaker,” the website states. Last year, the PDA said it would be ready to commence enforcing the PDPA by March this year. This is yet to be done. The current Government for all its talk and plans about digitisation has also not ensured the PDA is fully operational and enforceable, thus far.
It seems that the public may have to take the matter about the misuse of their personal information and breach of privacy before the Courts and plead with the Judiciary act to protect their fundamental rights.