Can you unlock your unconscious patient’s mobile phone with their thumb? St.Emlyn’s

should you unlock your patients phone stemlyns

The case:

Let’s imagine a case, based on reality but essentially a thought experiment. You are working in the ED resus area when you receive a young unconscious patient from the paramedics. They had been found alone in an alleyway in the late evening. There were no witnesses to what happened and you really don’t know what’s going on. Your patient is unconscious with a GCS of 6 (E1, V1, M4) and dilated pupils. Their pulse is 47 with a blood pressure of 97/51. You can find no evidence of external injury and no obvious reason why your patient is unconscious. Your working diagnosis is that this is probably a tox case, but you can’t be sure.

As you prepare for an RSI and CT Brain, you get on with maintaining the airway, obtaining IV access and getting bloods off to the analyser.

But who is this patient? You have no ID and no information on them. Wouldn’t it be helpful if we knew who they were? If we did then perhaps we could have a look on our hospital database to check on past admissions, medicines, and of course if they are critically ill we should consider contacting their family. So, as you are prepping for the clinical management of the patient your team goes through the patient’s pockets looking for clues. They might find a bag of drugs, a suicide note, an alert bracelet, all sorts of useful information that could guide your clinical management of the patient, but there is nothing obvious there. All you find is a train ticket from Leeds to Virchester and an iPhone 6.

Look bottom left for the emergency data

Look bottom left for the emergency data

There’s nothing much to go on… or is there? That mobile phone must have information on it. Perhaps there is something useful, and so you touch the screen and swipe right to look on the lock screen. Down there on the bottom left there should be emergency information that can be accessed by anyone. It will also display your weight from the health app (blushes), together with name, height and any specific medical info you’ve put such as medications, allergies and blood groups. Sadly, your patient has not filled it in and so you still don’t know anything about your patient. That is until one of your nurses suggests that we unlock the phone with the patient’s thumbprint.

If you don’t already know then this is eminently possible. By holding the patient’s thumb to the phone you should be able to access the contents and go looking for… well, what exactly? I suppose we could probably find out who they were by looking at their text messages and perhaps even by phoning a contact based on their recent call history. You might look to see if they have their home number listed, or maybe someone called ‘mum’ or ‘ICE’. Suffice to say that the little phone in your pocket probably contains a wealth of information that can identify you, your friends and family, your habits, desires and preferences.

So, should you do it? Should you hold that phone to your patient’s thumb and log into their phone right there in the resus room?

This is a real question that I was asked recently with a similar case, and to be honest I did not know the answer. On the one hand it’s always useful to know who your patient is, on the other it feels like a huge invasion of privacy and a break of confidentiality. We needed to know more, so the next day I started a poll on Twitter. You can see the results below.

So we clearly don’t know. Of the 735 people who answered the poll (which I conducted without ethical approval btw) the majority of people thought that it was fine with many comments suggesting that it was no different to going through the patient’s pockets. A minority thought it was absolutely not the right thing to do and about a third said it depends (we’ll come back to this). The bottom line is that there is no consensus and so I can only presume that practice varies across the UK and the world.

So, can we do this?

Practically – yes. Legally, I’m not so sure. I asked a friend (Oli May – husband of Nat) who knows about these things and got the following back. Now neither Oli or myself are lawyers and this is not legal advice but let’s have a think about how this could play out in the UK.

from Oli May
The key relevant legislation for me is s1 of the Computer Misuse Act 1990. While this pre-dates smartphones, and there has been some discussion recently about whether it should be updated to specifically cover them, the CPS argues that subsequent case interpretation is viewed as capable of covering a smartphone. In fact one legal blogger has heard of argumnents that  it might even cover internet-enabled fridges!

The offence of unauthorised access only requires three components:

  1. The person interacts with the computer to obtain access to a program or information
  2. That it is unauthorised access;
  3. That the person doing it knows that it’s unauthorised.
So this fits your scenario by definition. It carries a potential custodial sentence and a fine.
As what is being described is a criminal offence, there needs to be either (1) a defence/protection from liability defined in law that is available to a doctor to use (e.g. the sort of thing that you might find in the Mental Capacity Act), or a (2) power conferred upon them by some other part of law to carry out this action.
So my question is, what legal powers or defences exist for doctors here? I don’t know of any nor whether the CMA would be relevant here.
Further, if there is no power or defence, and if the doctor takes hold of and manipulates the patient’s finger/thumb in order to access the smartphone, this could be seen to  open the doctor to a further challenge given that this is a criminal offence and therefore not acceptable physical contact with a patient. If it is an offence, then it isn’t in the best interests of the patient.
Would a doctor be prosecuted, in your scenario? In theory this is possible if a defence/protection from liability or a power does not exist, but the greater risk it would seem to me is civil litigation by the patient concerned; information security and privacy is a hot issue (see current controversy between the FBI and Apple).
So, to round this off, if I was standing in your ED while you contemplated the scenario, I’d suggest you ask yourself: Do you have a power or defence/protection from liability to do that? If not, or if you don’t know, is it really necessary – do you need that information, and have you exhausted all other avenues to get that information? Are you then prepared to take this risk?
I think the MDU or MPS may be good people to pick this up with.

So this is really interesting. The key message here for me is that this is not the same as going through someone’s pockets and that if we do access the phone then someone may argue that we are committing an offence. Now, as clinicians we all know that prevention is better than cure and so it looks to me as though we really should not be casually wandering into our patient’s phone.

Any other complexities?

IMG_2943

All sorts of info on the notifications screen. Accessible without passcode.

Just one. On the iPhone if you have notifications enabled on accounts like Instagram, text messages, whattsapp, Tinder,  Grindr, (Ed – you’ve only put those in to check people are reading) then they will be accessible by scrolling down from the top of the screen without a passcode. I have no idea whether accessing them could constitute an offence. You could argue that this is still an interaction to obtain information and therefore appears to break the rules.

Is there a defence of necessity?

Again, I’m no lawyer but I can imagine an analogy with principles of confidentiality. We try to maintain our patient’s confidentiality unless there are vital reasons not to do so. There are number of circumstances where we can break confidentiality for the protection of the patient or public, and the test for this is understandably high (see GMC site here for UK examples). The question we need to ask is whether there are any circumstances in the resus room where we might need to obtain phone information.

What would that information look like? Firstly, it would have to be time critical. If we can wait for the Police to arrive in order to help identify (interestingly they have hand held fingerprint recognition devices these days) our patient then we should leave it to them, they are good at that sort of thing and will be similarly motivated to find out who the patient is through their legal authority. Secondly, we would have to be looking for information that would make a difference to the way in which we are going to treat our patient at that moment in time. It may be very important later on to contact family if we discover our patient to be critically unwell or even dying, but right at that initial moment in time in the resus room you must ask yourself ‘what do I need to know, and how would accessing the phone answer that’.

I think this is why we had 30% of people saying it depends in our Twitter survey. Maybe they can think of a scenario where we need to know right there and then, and before the police arrive. I’m struggling to think of such a scenario, but it may exist.

What happened with our patient?

It was a really interesting question raised in resus. We thought about accessing the patient’s phone but asked ourselves the question ‘Do we need to do this now, and if so why?’. As a team we could not think of doing anything different at that moment and so we did not access their phone (they were fine btw).

The Bottom Line

Unless I hear otherwise in the form of a legally qualified opinion I won’t be breaking into my patients’ phones unless a scenario arises where I can honestly say that I need to know information on that phone right there and then. In that case I would be able to clearly articulate 1. What I was looking for. 2. Why I need that information right now. That’s my test, and I think Swami agrees with this.

As ever, we’d love to hear your thoughts on this, and if there is anyone out there who has the definitive UK legal answer please send us a message so that we can share it widely. If you have an international perspective then please share that too.

UPDATE

Check out the comments below and especially from Charles H. There is an alternative route to accessing identification and contact information if the phone has Siri enabled, and if contacts have been saved with tags (such as mother/father etc.)

Watch this video to find out how and why.

simon isabelle mobile phones stemlyns from Simon Carley on Vimeo.

vb

S

PS. Check your phone. Have you filled in YOUR details? Check your family and friends too…..

 

Before you go please don’t forget to…

10 Comments

  1. Daniel Darbyshire

    I wonder what happens if you reframe accessing the phone as a diagnostic test. There are clear risks (breaking confidentiality) and the benefits are unclear but potentially life saving. Comparing this to other interventions we do in the E.D. I think there are similarities. I would follow a similar approach to applying other controversial clinical techniques in emergencies. Ask a colleague, if two or more of you agree that benefits outweigh the risk in that emergency setting then access that phone. I’d want you to do it to save mine or a loved ones life.

    P.S. Fill in your emergency details

    P.P.S. I voted yes

    Reply
  2. Sanna Waseem (@SannaWaseem)

    In the age of health technology, it won’t be long until our phones/watches etc can tell us more than our weight and step count for the day. Perhaps there is a market in here for tech companies to create some way for medical professionals (and other emergency services) to access a phone which limits what we can see (i.e look at a heart trace and not Grinder notifications)?

    Reply
  3. Charles H

    You can just hold down the home button and ask Siri ‘Who’s phone is this?’.

    Reply
    1. Gareth Roberts

      I cant believe i did not know this. Ths is briliant

      Reply
  4. Cannulator

    You Realise by now that the clerks have gone absolutley batshit because they have no patient details and they hate not having details before a patient receives treatment; the have rung Cupertino and forced Apple to unlock the hone and retrieve the data for you.

    Reply
  5. Pingback: LITFL Review 221 | LITFL: Life in the Fast Lane Medical Blog

  6. Pingback: An anonymous patient | FOAM links

  7. Pingback: LITFL Review 221 – FOAM Ed

  8. Pingback: Thumbs Up for Privacy - Bioethics Research Library

  9. Kareen

    In the age of health technology, Perhaps there is a market in here for tech companies to create some way for medical professionals to access a phone which limits what we can see?

    Reply

Thanks so much for following. Viva la #FOAMed