Data protection and privacy rights are not typically the source of great public discussion or even attention; that is, until they are neglected or disregarded. When represented by our information alone, the individual and their rights are often lost or ignored. Losing control of one's personal information or the right to confidentiality is one of the swiftest ways to feel violated.
This issue is best examined when considering the hierarchy of sensitive information we share with others. For example, details we share with doctors, therapists, or counselors being some of our most sensitive information. With this type of information there is a duty to look beyond how information can be used legally, and instead consider the ethics.
Recent actions by the University of Oregon highlight just this issue. When a student survivor of rape filed a lawsuit against the University for mishandling her case, the University accessed her records from seeking therapy on campus to use in their defense against her suit. The school argued in obtaining her health records, they were acting under their legal rights permitted by the Family Educational Rights and Privacy Act (FERPA). Because the student accessed the school's health clinic, the records belong to the University and therefore warrant their possession and use. Although an antiquated federal law permits use of the student's records, this is a clear violation of ethics and an abuse of power.
In utilizing the school's health clinic, the student had a reasonable expectation of confidentiality. Therapists, psychologists and counselors are governed by a code of ethics that guide their work. Confidentiality is a cornerstone of that code. According to the American Psychological Association, people accessing therapy or counseling need to feel comfortable discussing private details and revealing information in a safe place, without fear of that information being exposed or shared. The APA goes further to note that providers should "give you written information explaining privacy policies and how your personal information will be handled." A senior staff therapist at the University's counseling center agreed. She argued in a letter to the University that their use of the student's records was a violation of privacy and confidentiality. Access to the records was permitted without the student's consent. Concerning this issue at the University, a Department of Education representative urged educational institutions to 'comply with FERPA but also to respect the expectation of confidentiality that all Americans hold when talking to a counselor or therapist." Possessing the legal platform for access because they own the health clinic is not enough to justify the abuse of power in violating the student's right to confidentiality.
Obtaining the student's records without permission violates not only her confidentiality but also the principles of beneficence and respect. According to the World Health Organization, it is the duty of counselors, therapists and psychologists to safeguard the welfare of survivors, which includes risk reduction and ensuring benefits outweigh risks to survivors. Had the university counselors known the possibility for student records to be accessed, this would have likely been discussed with patients prior to any disclosure of information. Further, there is a requirement to respect the autonomy and self-determination of survivors. Confidential information shared without consent from the survivor ignores both principles of beneficence and respect.
A violation of the rights of one has the effect of diluting the integrity of the University's code of ethics for many. What is the incentive for other current and future survivors or students struggling with mental health difficulties to seek supportive services? The risk now is known. Information cannot be confidently shared with the understanding it will be confidential. Survivors and other potential patients now need to carefully weigh the risks in accessing university services. While Interim University President Scott Coltrane says, "it's our primary job to keep our students safe," students now have to consider that statement in light of the University's actions. This breach of trust will likely have long-lasting consequences.
Although acting within their legal boundaries, the University abused their power in overlooking basic ethical principles. Should students feel safe on campus? Should they access supportive services on campus if there is a need? Should they feel confident in seeking those services that their information will be protected and confidential? Presumably the University would answer 'yes' to those questions, but their actions show the contrary.
While authorized to access the student records, the University should instead consider the benefit to acting ethically. At the very least, the University should give consideration to the consequences for other students. Without confidence in how their information or how their privacy will be protected, why would students access services from the University? The rights, safety and welfare of the individual must be paramount.
Kristy Crabtree is the Gender-Based Violence Information Management Specialist at the International Rescue Committee. The views expressed here are entirely her own and do not represent the views or opinions of International Rescue Committee.