Summary A high quality public health system relies as much on a robust, accountable and transparent governance framework as it does on the integrity, professionalism and skill of its practitioners and administrators. Patients have an expectation, grounded in human rights entrenched in international law, to a reasonable quality of care and to not be exposed to exploitation, abuse or unreasonable risks of harm. A well-functioning public health system will deliver therapeutic outcomes accordingly, but must also provide a front-line defence for the public against communicable diseases or pandemics, and should also strive to facilitate medical research and innovation. The modern age of digitized personal health information, facilitated by rapid advances in telecommunications and computing technologies, presents both opportunities and hazards for public health systems. Digital collection of data assists healthcare providers by facilitating instant access to consolidated health records, and provides an abundance of information for epidemiologists and health economists alike. However, such systems have also exposed individuals to significant breaches of privacy, and threaten the viability of the doctor–patient relationship upon which a public health system depends. In Australia, the medical profession and healthcare consumers have voiced concerns regarding the general collection, use and secure storage of personal information, including data and metadata. Both forms of personal information have been the subject of high profile privacy breaches, raising questions about the legal protection of confidences between healthcare providers and patients, and whether surveillance of a physician's actions burdens their fidelity to patients in their care. For example, a data breach of the Red Cross Blood Service exposed the names, gender, addresses, dates of birth and responses to questions about ‘at-risk sexual behaviour’ of over half a million Australian blood donors. Regarding metadata, the tension between individual privacy and regulatory overreach is illustrated by powers previously granted under the Telecommunications (Interception and Access) Act 1979 (Cth) (commonly referred to as Australia's Metadata Retention Laws ) to the Australian Health Practitioner Regulatory Agency to examine the metadata of health practitioners under investigation, thus encompassing communication with all their patients, not simply those pertaining to a given complaint. This tension is also readily evident in the case study presented in this article of the Australian Federal Police's alleged warrantless access to a doctor's phone metadata to determine the identity of a suspected whistle-blower. In this case, an Australian doctor was being investigated on suspicion of having disclosed details without authorization pertaining to circumstances surrounding the death of an Iranian asylum seeker in August 2014 who was being held in an offshore detention centre on Manus Island. Media reports on evidence presented at the coronial inquest into the man's death in late 2016 allege that there were unreasonable delays in transporting the patient to a healthcare facility in Brisbane where he could have received life-saving treatment. While this example did not result in a prosecution, detention centre staff, including healthcare workers, who disclosed information about operations or matters within detention centres without authorization at that time, were potentially subject to a two-year jail term under the Border Force Act 2015 (Cth). As this case study illustrates, misuse of metadata for investigating and prosecuting doctors who act as whistle-blowers within the public health system is not an isolated concern and merits careful consideration. Doctors have an ethical duty to act as whistle-blowers (i.e., grounded in virtue ethics) in a range of situations, such as to report systemic failures, review clinical outcomes of both departments and individuals, or avoid catastrophic events. Indeed, whistle-blowing serves a crucial function to promote transparency of processes in health governance and thereby improve quality of care and patient safety. As such, doctors present a special case for legal protection when they act as whistle-blowers in good faith. Legal disincentives, such as punitive measures that purport to advance the aims of secrecy in government agencies, should be avoided. A failure to do so risks undermining the very foundations of the doctor–patient relationship, with consequent negative implications for patient safety and quality of care in public health systems.