Revision of secrecy safeguards in criminal law for lawyers, doctors, hospitals and insurance companies
On 29 June 2017 the Bundestag passed the law revising the safeguarding of secrecy where third parties are involved in the exercise of professional duties by persons with a duty of confidentiality.
This decision to pass the law is a response to calls for a long-overdue reform by the associations concerned, specifically adapting to the 21st century the criminal law rules on secrecy for certain professionals (doctors, dentists, psychotherapists, lawyers, tax consultants, auditors, notaries, as well as insurance companies). Whereas previously, disclosure of the secrets and data entrusted to the professional with a duty of secrecy without the consent of the patient, client or insured was possible only to “professional assistants”, now it is also possible to “other collaborating persons”. This not only means that external typing services, IT maintenance service providers or collection agencies have the opportunity to work for doctors, lawyers or other professionals with a duty of confidentiality, but now in particular, insurance and hospital operating companies can implement a financially worthwhile opportunity for data processing, including IT outsourcing, and use modern options of data storage such as cloud solutions. In turn, the providers of these services now have a completely new source of clients.
- Revision of section 203(3) and 203(4) German Criminal Code
Section 203 German Criminal Code lists a special, punishable nondisclosure obligation for professionals with a duty of secrecy. These include obvious professions such as doctors, dentists, pharmacists, lawyers, notaries, auditors and tax consultants. Thus this provision focuses on the traditional profession of the individual advisor.
However, this secrecy safeguard also covers hospitals, hospital operating companies, large law or audit firms, and, according to section 203(1) no. 6 German Criminal Code, insurance companies. As the criteria for the offence, especially the criterion of “disclosure”, already covered granting to third parties the opportunity of obtaining knowledge, these companies previously could not, or only to a limited extent, avail themselves of third parties’ services, especially in the area of IT. The sole exception was for disclosure to “professional assistants”, a term which some authors considered to cover external service providers to the professional secret bearers as well. But the prevailing opinion rejects this. There were no definitive precedents.
According to the revision of section 203 German Criminal Code on “disclosure” of the secret, notification of the secret is now possible not only to “professional assistants” but also to “persons who collaborate in the professional or service activity of the professional with a duty of secrecy, if this is necessary for using the activity of the other collaborating persons.” The explanatory memorandum names examples of such collaboration actions such as
– accepting telephone calls,
– archiving and shredding files,
– setup, operation and maintenance – including remote maintenance – and adjustment of IT equipment, applications and systems of all kinds, such as correspondingly equipped medical devices,
– providing IT equipment and systems for external storage of data
– collaborating on the fulfilment of accounting and tax law obligations of the professional with a duty of secrecy.
Data can thus be passed on to these people in future even without the consent of the patient, client or insured. This enables the use not only of IT remote maintenance services, but also the latest solutions such as cloud computing, for example. Professionals with a duty of secrecy previously did not have this option.
The list above does not appear to be conclusive. However, the new law creates a certain barrier with the characteristic of “necessity”. The question is: when is collaboration still necessary? Can this apply, for example, to PR agencies in the case of litigation PR or crisis communication about criminal proceedings with public attention? And what about technical service providers for email reviews during internal investigations?
- Extension of the right to refuse to give evidence
These questions are relevant. In the cases described above there is usually consent from the client, so that passing on information by the lawyer to the agencies has always been unpunished. But an extension of the attorneyclient privilege may be necessary. Section 53a of Criminal Procedure Code specifically extends the procedural right of refusal to give evidence, and similarly the exemption from seizure, to these collaborating persons. This can be significant in the case of crisis communication, or email reviews by external service providers, for example.
- Revision of certain occupational obligations
The downside of expanding the circle of people to whom the secret can be passed on is the criminal liability of the disclosure of this secret by the thirdparty service providers. This is now specified in section 203(4) of Criminal Code. It firstly affects the personal criminal liability of the other collaborating persons, in other words the third-party service provider.
Additionally, this section provides for criminal liability of the professional himself if this person “has failed to ensure that another collaborating person who discloses without authorisation a secret which became known during the exercise or by occasion of their activity, was required to commit to confidentiality.” The requirements which such an obligation must meet are not specified in the draft of section 203 German Criminal Code.
But some indications are offered here by the professional obligations also revised during the reform. The federal legislator, in the absence of legislative powers for the other professions concerned, only regulated the passing on of secrets to third-party service providers for lawyers, notaries, patent attorneys, tax consultants and auditors. There is no rule for doctors, which in the opinion of the federal legislator is a matter for the state legislators. This may be correct, but it is not clear from the explanatory memorandum why no rule was made for insurance companies for which there would certainly be powers of legislation for the federal lawmaker.
In any case we assume that, with the individual provisions the federal legislator wanted to create in the professional regulations a blueprint for an appropriate obligation for third-party service providers. For example, the revision in the German Federal Lawyers’ Act (section 43e) provides that
– the service provider is chosen carefully,
– the contract with the service provider is entered into in text form,
– the service provider was informed of the criminal consequences of a breach of duty,
– the service provider was asked to commit to obtaining knowledge of third-party secrets insofar as necessary to perform the contract, and
– it is specified to the service provider whether it is authorised to deploy other persons to perform the contract.
- Impact of new law
The new law opens up broad application possibilities for using IT services for professional groups and industries which were previously not permitted to do so.
As part of the specific contractual design it is important to very carefully define the individual obligations. The new version of the law offers some starting points here which must be solidly implemented. But no more than that is offered. For example it is unclear in particular how detailed the instruction given to the service provider must be; whether and in what form this instruction must be passed on to employees; whether the original professional with a duty of secrecy must know the individuals involved; what requirements there are for selecting them; and so on. The basics of the contract should therefore be drafted with great care, or be reviewed if necessary.
Any Questions? Please Contact: Dr. Martin Schorn
Practice Group: Compliance & Internal Investigations, Healthcare and IT, Outsourcing & Data Privacy