The `Need to Know' concept is often quoted but rarely defined in the literature. In general the principle directs that unless an individual has a specific reason to have access to a piece of information then that access is denied. The concept is used extensively in privacy legislation throughout Western Nations. The principle is investigated with respect to its use in the protection of personal medical information and liabilities that may result from such usage. Keywords Need to know, computer security, medical data security