AJD v Royal Prince Alfred Hospital

NCAT Administrative and Equal Opportunity|2014-09-02

reasons for decision 1This matter was commenced in the General Division of the Administrative Decisions Tribunal ("the ADT"). On 1 January 2014, the ADT was abolished and its functions were taken over by the Civil and Administrative Tribunal of New South Wales ('NCAT'). The present decision is therefore a decision of NCAT. But because the proceedings to which it relates are 'part heard proceedings' as defined in clause 6(1) of Schedule 1 of the Civil and Administrative Tribunal Act 2013, they are to be determined as if that Act had not been enacted (see clause 7(3)(b) of this Schedule). 2These reasons concern a review of conduct by the Respondent, the Royal Prince Alfred Hospital under the Privacy and Personal Information Protection Act 1998 ("the PPIP Act") and the Health Records and Information Privacy Act 2002 ("the HRIP Act"). The names of private individuals, and other information which might identify them, have been anonymised so as to preserve the privacy of their personal affairs. I have also limited my discussion of some issues in order to the privacy of their personal affairs. In these reasons the Applicant is referred to as AJD. 3It is common ground that the Respondent is and was at all relevant times a health service provider within the meaning of section 4 of the HRIP Act. AJD has been a patient of the Respondent. She suffered from a serious and chronic illness and received health services provided by the Respondent. AJD also delivered two children ("the children") at the Respondent's maternity unit. The Respondent held health information, as defined in section 6 of the HRIP Act, about AJD and the children. 4AJD and the children's father ("the father") are divorced but both parents have equal custodial rights and responsibilities for the children. 5The father lodged requests with the Respondent for the children's medical records. In response to that request, the Respondent supplied copies of its medical records of the children to the father. 6These records relating to the time around each of the children's births contained both the children's health information and information regarding AJD's health. The records indicated that AJD suffered from a serious chronic illness and also contained other information about her health. 7AJD lodged a request for an Internal Review of the conduct. She asserted that her privacy was breached by the Respondent having used and disclosed personal health information to the father, an unauthorised third party, without her consent or without lawful purpose. AJD further says that the Respondent failed to ensure the security of her personal health information against unauthorised misuse and disclosure. 8The review considered whether there had been breaches of Health Privacy Principle ("HPPs"). It considered HPP 5 (Retention and Security), HPP 10 (Limits on Use of Health Information), and HPP 11 (Limits on Disclosure of Health Information). In the review, the Respondent conceded that information regarding AJD's health was contained within the children's medical records and that this information was provided to the father as part of the children's records. However, the review found that no HPPs had been breached. 9The reviewer found that there was no evidence to substantiate the allegation that the Respondent had failed to ensure the security of AJD's health information against unauthorised use and disclosure. The reviewer found that the Respondent did not use AJD's health information other than for the primary purpose of providing health services to AJD and the children. 10The Respondent considered that the information of AJD's condition was of significant relevance to the ongoing care of the children and the medical records were released in their entirety to the father. The review also indicated that documentation in the children's medical records indicated that the father was already aware of AJD's serious chronic condition. 11AJD has applied to the Tribunal for external review of the conduct. In that application she sought a number of orders including compensation for damage suffered as result of alleged breaches of the HRIP Act.

Relevant legislation 12Subsection 11(1) of the HRIP Act provides that every 'organisation' that is a health service provider or that collects, holds or uses health information is subject to that Act. The term 'organisation' is defined to include a public sector agency (see subsections 4(1) of the HRIP Act). 13Subsection 11(2) of the HRIP Act provides that an organisation to whom, or to which the HRIP Act applies is required to comply with the HPPs that are applicable to the organisation. There is no dispute that the Respondent is an organisation to whom the HRIP Act applies and is required to comply with the HPP's which are set out in Schedule 1 of the HRIP Act. Subsection 11(3) of the HRIP Act provides that an organisation must not do anything, or engage in any practice, that contravenes an HPP. 14The HPPs include principles in regard to the collection (clause 1 to 4), retention and security (clause 5), access and amendment (clause 6 to 8), use (clause 9 and 10) and disclosure (clause 11) of a person's health information. The HPPs relevant to this application are discussed below. 15Subsection 21(1) of the HRIP Act makes provision for complaints to be made against a public sector agency in regard to conduct which is alleged to be a contravention of an HPP that applies to the agency. Such complaints are made pursuant to Part 5 of the PPIP Act and for that purpose a reference in Part 5 of the PPIP Act to 'personal information' is to be taken to include 'health information': see subsection 21(2) of the HRIP Act. 16The term 'health information' is defined in section 6 of the HRIP Act. Section 6 provides: 6 Definition of "health information" In this Act, "health information" means: (a) personal information that is information or an opinion about: (i) the physical or mental health or a disability (at any time) of an individual, or (ii) an individual's express wishes about the future provision of health services to him or her, or (iii) a health service provided, or to be provided, to an individual, or (b) other personal information collected to provide, or in providing, a health service, or (c) other personal information about an individual collected in connection with the donation, or intended donation, of an individual's body parts, organs or body substances, or (d) other personal information that is genetic information about an individual arising from a health service provided to the individual in a form that is or could be predictive of the health (at any time) of the individual or of any sibling, relative or descendant of the individual, or (e) healthcare identifiers, but does not include health information, or a class of health information or health information contained in a class of documents, that is prescribed as exempt health information for the purposes of this Act generally or for the purposes of specified provisions of this Act. 17The term 'personal information' is defined in section 5 of the HRIP Act. That section relevantly provides as follows: 5 Definition of "personal information" (1) In this Act, personal information means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. (2) Personal information includes such things as an individual's fingerprints, retina prints, body samples or genetic characteristics. 18Section 22 of the HRIP Act provides that: 22 Government Information (Public Access) Act 2009 not affected (1) Nothing in this Act affects the operation of the Government Information (Public Access) Act 2009. (2) In particular, this Act does not operate to lessen any obligations under the Government Information (Public Access) Act 2009 in respect of a public sector agency. (3) Without limiting the generality of subsection (1), the provisions of the Government Information (Public Access) Act 2009 and the Privacy and Personal Information Protection Act 1998 that impose conditions or limitations (however expressed) with respect to any matter referred to in HPP 6 (Information about health information held by organisations), HPP 7 (Access to health information) or HPP 8 (Amendment of health information) are not affected by this Act, and those provisions continue to apply in relation to any such matter as if those provisions were part of this Act. 19Personal information is defined in the same terms in subsection 4(1) and (2) of the PPIP Act. 20The HPPs relevant to this application are those contained in clause 5, clause 7, clause 10 and clause 11 of Schedule 1 of the HRIP Act. Clause 5 of Schedule 1 of the HRIP Act provides: 5 Retention and security (1) An organisation that holds health information must ensure that: (a) the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used, and (b) the information is disposed of securely and in accordance with any requirements for the retention and disposal of health information, and (c) the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and (d) if it is necessary for the information to be given to a person in connection with the provision of a service to the organisation, everything reasonably within the power of the organisation is done to prevent unauthorised use or disclosure of the information. Note. Division 2 (Retention of health information) of Part 4 contains provisions applicable to private sector persons in connection with the matters dealt with in this clause. (2) An organisation is not required to comply with a requirement of this clause if: (a) the organisation is lawfully authorised or required not to comply with it, or (b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998). (3) An investigative agency is not required to comply with subclause (1) (a). 21Clause 7 of Schedule 1 of the HRIP Act provides: 7 Access to health information (1) An organisation that holds health information must, at the request of the individual to whom the information relates and without excessive delay or expense, provide the individual with access to the information. Note : Division 3 (Access to health information) of Part 4 contains provisions applicable to private sector persons in connection with the matters dealt with in this clause. Access to health information held by public sector agencies may also be available under the Government Information (Public Access) Act 2009 or the State Records Act 1998 . (2) An organisation is not required to comply with a provision of this clause if: (a) the organisation is lawfully authorised or required not to comply with the provision concerned, or (b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998). 22Clause 10 of Schedule 1 of the HRIP Act provides: 10 Limits on use of health information (1) An organisation that holds health information must not use the information for a purpose (a "secondary purpose") other than the purpose (the "primary purpose") for which it was collected unless: (a) the individual to whom the information relates has consented to the use of the information for that secondary purpose, or (b) the secondary purpose is directly related to the primary purpose and the individual would reasonably expect the organisation to use the information for the secondary purpose, or Note : For example, if information is collected in order to provide a health service to the individual, the use of the information to provide a further health service to the individual is a secondary purpose directly related to the primary purpose. (c) the use of the information for the secondary purpose is reasonably believed by the organisation to be necessary to lessen or prevent: (i) a serious and imminent threat to the life, health or safety of the individual or another person, or (ii) a serious threat to public health or public safety, or (d) the use of the information for the secondary purpose is reasonably necessary for the funding, management, planning or evaluation of health services and: (i) either: (A) that purpose cannot be served by the use of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained and it is impracticable for the organisation to seek the consent of the individual for the use, or (B) reasonable steps are taken to de-identify the information, and (ii) if the information is in a form that could reasonably be expected to identify individuals, the information is not published in a generally available publication, and (iii) the use of the information is in accordance with guidelines, if any, issued by the Privacy Commissioner for the purposes of this paragraph, or e) the use of the information for the secondary purpose is reasonably necessary for the training of employees of the organisation or persons working with the organisation and: (i) either: (A) that purpose cannot be served by the use of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained and it is impracticable for the organisation to seek the consent of the individual for the use, or (B) reasonable steps are taken to de-identify the information, and (ii) if the information could reasonably be expected to identify individuals, the information is not published in a generally available publication, and (iii) the use of the information is in accordance with guidelines, if any, issued by the Privacy Commissioner for the purposes of this paragraph, or (f) the use of the information for the secondary purpose is reasonably necessary for research, or the compilation or analysis of statistics, in the public interest and: (i) either: (A) that purpose cannot be served by the use of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained and it is impracticable for the organisation to seek the consent of the individual for the use, or (B) reasonable steps are taken to de-identify the information, and (ii) if the information could reasonably be expected to identify individuals, the information is not published in a generally available publication, and (iii) the use of the information is in accordance with guidelines, if any, issued by the Privacy Commissioner for the purposes of this paragraph, or (g) the use of the information for the secondary purpose is by a law enforcement agency (or such other person or organisation as may be prescribed by the regulations) for the purposes of ascertaining the whereabouts of an individual who has been reported to a police officer as a missing person, or (h) the organisation: (i) has reasonable grounds to suspect that: (A) unlawful activity has been or may be engaged in, or (B) a person has or may have engaged in conduct that may be unsatisfactory professional conduct or professional misconduct under the Health Practitioner Regulation National Law (NSW) , or (C) an employee of the organisation has or may have engaged in conduct that may be grounds for disciplinary action, and (ii) uses the health information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities, or (i) the use of the information for the secondary purpose is reasonably necessary for the exercise of law enforcement functions by law enforcement agencies in circumstances where there are reasonable grounds to believe that an offence may have been, or may be, committed, or (j) the use of the information for the secondary purpose is reasonably necessary for the exercise of complaint handling functions or investigative functions by investigative agencies, or (k) the use of the information for the secondary purpose is in the circumstances prescribed by the regulations for the purposes of this paragraph. (2) An organisation is not required to comply with a provision of this clause if: (a) the organisation is lawfully authorised or required not to comply with the provision concerned, or (b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998 ). (3) The Ombudsman's Office, Health Care Complaints Commission, Anti-Discrimination Board and Community Services Commission are not required to comply with a provision of this clause in relation to their complaint handling functions and their investigative, review and reporting functions. (4) Nothing in this clause prevents or restricts the disclosure of health information by a public sector agency: (a) to another public sector agency under the administration of the same Minister if the disclosure is for the purposes of informing that Minister about any matter within that administration, or (b) to any public sector agency under the administration of the Premier, if the disclosure is for the purposes of informing the Premier about any matter. (5) The exemption provided by subclause (1) (j) extends to any public sector agency, or public sector official, who is investigating or otherwise handling a complaint or other matter that could be referred or made to an investigative agency, or that has been referred from or made by an investigative agency. 23Clause 11 of Schedule 1 of the HRIP Act provides: 11 Limits on disclosure of health information (1) An organisation that holds health information must not disclose the information for a purpose (a "secondary purpose" ) other than the purpose (the "primary purpose" ) for which it was collected unless: (a) the individual to whom the information relates has consented to the disclosure of the information for that secondary purpose, or (b) the secondary purpose is directly related to the primary purpose and the individual would reasonably expect the organisation to disclose the information for the secondary purpose, or Note : For example, if information is collected in order to provide a health service to the individual, the disclosure of the information to provide a further health service to the individual is a secondary purpose directly related to the primary purpose. (c) the disclosure of the information for the secondary purpose is reasonably believed by the organisation to be necessary to lessen or prevent: (i) a serious and imminent threat to the life, health or safety of the individual or another person, or (ii) a serious threat to public health or public safety, or (d) the disclosure of the information for the secondary purpose is reasonably necessary for the funding, management, planning or evaluation of health services and: (i) either: (A) that purpose cannot be served by the disclosure of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained and it is impracticable for the organisation to seek the consent of the individual for the disclosure, or (B) reasonable steps are taken to de-identify the information, and (ii) if the information could reasonably be expected to identify individuals, the information is not published in a generally available publication, and (iii) the disclosure of the information is in accordance with guidelines, if any, issued by the Privacy Commissioner for the purposes of this paragraph, or (e) the disclosure of the information for the secondary purpose is reasonably necessary for the training of employees of the organisation or persons working with the organisation and: (i) either: (A) that purpose cannot be served by the disclosure of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained and it is impracticable for the organisation to seek the consent of the individual for the disclosure, or (B) reasonable steps are taken to de-identify the information, and (ii) if the information could reasonably be expected to identify the individual, the information is not made publicly available, and (iii) the disclosure of the information is in accordance with guidelines, if any, issued by the Privacy Commissioner for the purposes of this paragraph, or (f) the disclosure of the information for the secondary purpose is reasonably necessary for research, or the compilation or analysis of statistics, in the public interest and: (i) either: (A) that purpose cannot be served by the disclosure of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained and it is impracticable for the organisation to seek the consent of the individual for the disclosure, or (B) reasonable steps are taken to de-identify the information, and (ii) the disclosure will not be published in a form that identifies particular individuals or from which an individual's identity can reasonably be ascertained, and (iii) the disclosure of the information is in accordance with guidelines, if any, issued by the Privacy Commissioner for the purposes of this paragraph, or (g) the disclosure of the information for the secondary purpose is to provide the information to an immediate family member of the individual for compassionate reasons and: (i) the disclosure is limited to the extent reasonable for those compassionate reasons, and (ii) the individual is incapable of giving consent to the disclosure of the information, and (iii) the disclosure is not contrary to any wish expressed by the individual (and not withdrawn) of which the organisation was aware or could make itself aware by taking reasonable steps, and (iv) if the immediate family member is under the age of 18 years, the organisation reasonably believes that the family member has sufficient maturity in the circumstances to receive the information, or (h) the disclosure of the information for the secondary purpose is to a law enforcement agency (or such other person or organisation as may be prescribed by the regulations) for the purposes of ascertaining the whereabouts of an individual who has been reported to a police officer as a missing person, or (i) the organisation: (i) has reasonable grounds to suspect that: (A) unlawful activity has been or may be engaged in, or (B) a person has or may have engaged in conduct that may be unsatisfactory professional conduct or professional misconduct under the Health Practitioner Regulation National Law (NSW) , or (C) an employee of the organisation has or may have engaged in conduct that may be grounds for disciplinary action, and (ii) discloses the health information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities, or (j) the disclosure of the information for the secondary purpose is reasonably necessary for the exercise of law enforcement functions by law enforcement agencies in circumstances where there are reasonable grounds to believe that an offence may have been, or may be, committed, or (k) the disclosure of the information for the secondary purpose is reasonably necessary for the exercise of complaint handling functions or investigative functions by investigative agencies, or (l) the disclosure of the information for the secondary purpose is in the circumstances prescribed by the regulations for the purposes of this paragraph. (2) An organisation is not required to comply with a provision of this clause if: (a) the organisation is lawfully authorised or required not to comply with the provision concerned, or (b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998 ), or (c) the organisation is an investigative agency disclosing information to another investigative agency. (3) The Ombudsman's Office, Health Care Complaints Commission, Anti-Discrimination Board and Community Services Commission are not required to comply with a provision of this clause in relation to their complaint handling functions and their investigative, review and reporting functions. (4) Nothing in this clause prevents or restricts the disclosure of health information by a public sector agency: (a) to another public sector agency under the administration of the same Minister if the disclosure is for the purposes of informing that Minister about any matter within that administration, or (b) to any public sector agency under the administration of the Premier, if the disclosure is for the purposes of informing the Premier about any matter. (5) If health information is disclosed in accordance with subclause (1), the person, body or organisation to whom it was disclosed must not use or disclose the information for a purpose other than the purpose for which the information was given to it. (6) The exemptions provided by subclauses (1) (k) and (2) extend to any public sector agency, or public sector official, who is investigating or otherwise handling a complaint or other matter that could be referred or made to an investigative agency, or that has been referred from or made by an investigative agency. 24Part 5 of the PPIP Act (i.e. subsections 52 to 56) makes provision for the review of conduct of a public sector agency. Section 52 in that part defines 'conduct' to include the contravention of an information protection principle ("IPP") that applies to a government agency. These IPPs are set out in Part 2 of the PPIP Act (i.e. subsections 8 to 19) and include principles in regard to the collection, retention and security, access, alteration, accuracy, use and disclosure of personal information (see subsections 8 to 19 of the PPIP Act). As mentioned above, subsections 21(2) of the HRIP Act provides that for the purposes of Part 5 of the PPIP Act, a complaint made about conduct of an agency that contravenes an HPP, is also conduct falling within that Part. 25Section 53 of the PPIP Act gives a person aggrieved by the conduct of a public sector agency the right to seek internal review of that conduct by that agency. By reason of subsections 21(1) of the HRIP Act, this right extends to conduct which is alleged to be a contravention of an HPP that applies to that agency. 26Section 55 of the PPIP Act makes provision for a person dissatisfied with the findings of an agency in regard to that person's internal review application, to seek external review of the conduct that was the subject of the complaint. That section relevantly provides: 55 Review of conduct by Tribunal (1) If a person who has made an application for internal review under section 53 is not satisfied with: (a) the findings of the review, or (b) the action taken by the public sector agency in relation to the application, the person may apply to the Tribunal for a review of the conduct that was the subject of the application under section 53. (1A) ... (2) On reviewing the conduct of the public sector agency concerned, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders: (a) subject to subsections (4) and (4A), an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct, (b) an order requiring the public sector agency to refrain from any conduct or action in contravention of an information protection principle or a privacy code of practice, (c) an order requiring the performance of an information protection principle or a privacy code of practice, (d) an order requiring personal information that has been disclosed to be corrected by the public sector agency, (e) an order requiring the public sector agency to take specified steps to remedy any loss or damage suffered by the applicant, (f) an order requiring the public sector agency not to disclose personal information contained in a public register, (g) such ancillary orders as the Tribunal thinks appropriate. (3) Nothing in this section limits any other powers that the Tribunal has under Division 3 of Part 3 of Chapter 5 of the Administrative Decisions Tribunal Act 1997. (4) The Tribunal may make an order under subsection (2) (a) only if: (a) the application relates to conduct that occurs after the end of the 12 month period following the date on which Division 1 of Part 2 commences, and (b) the Tribunal is satisfied that the applicant has suffered financial loss, or psychological or physical harm, because of the conduct of the public sector agency. (4A) ... (5) ... (6) The Privacy Commissioner is to be notified by the Tribunal of any application for a review under this section. The Privacy Commissioner has a right to appear and be heard in any proceedings before the Tribunal in relation to a review under this section. (7) ... 27By reason of subsections 21(1) of the HRIP Act, this right of external review applies to persons who have sought internal review of conduct which is alleged to be a contravention of an HPP that applies to that agency. 28The Privacy Commissioner has elected to appear in these proceedings and has made written submissions.

AJD's case 29AJD contends that the Respondent disclosed her health information without her consent when it released health records of the children to the father. She says that the Respondent released her health information for a secondary purpose without her consent. 30Additionally, or in the alternative, she says that the Respondent released her health information for a directly related purpose for which she, or a person in her position, would not reasonably expect it to be used. 31AJD points to the internal review determination as support for the submission that the Respondent was aware that her health information was contained within the children's records that it released to the father. She submits that in making a decision that her health information should be released because it had 'significant relevance' to the 'ongoing care' of the children, the Respondent based its decision on considerations outside of those allowed by HPP 11. 32In order to ascertain precisely what information was provided to the father in response to his request, AJD submitted her own request. The Respondent provided documents in response to AJD's request and subsequently advised that it believed that the documents provided would have been the same as those provided to the father. AJD's case is based on the assumption that the documents provided to her are the same as those provided to the father. 33She submits that the records provided to the father contained her health information and she itemised the types of information included. She contends that if the Respondent was authorised under HPP 7 to release the children's medical records, it was only authorised to release that part of the records that contained the children's health information. It was not permitted to release that part of the children's medical records that contained the Applicant's health information. 34[Not to be released except to the parties] 35She was not contacted by the Respondent to be informed about the release of her information. 36AJD maintains that the father's behaviour subsequent to his receipt of the children's medical records indicates that he was not aware of some of the information contained therein. He has also asserted that that was the case. Therefore, she submits, in releasing the children's medical records to the Father, the Respondent disclosed her health information to him. 37She stated that her ex-husband has been hostile to her for many years, with a history of violent behaviour, and he has used the information to further attack her. She feels violated to have her information released to someone who is so hostile to her. She has felt constantly that she has to defend herself publicly from his attacks. She had no opportunity to ensure her safety from the repercussions of her ex-husband having obtained the information. She believes that the Respondent's actions put her in an unsafe situation. It led to an extended period of time when she felt physical unsafe when in his presence. He also used the information in the Federal Magistrates Court and the Family Court to pursue sole parental responsibility for the children. 38AJD submits that her own health information was contained within the children's medical records, and that release of this information was not authorised by HPP 7, and was a breach of HPP 11. 39She submits that this information is not the children's health information. She says that it pertains to her and clearly falls within the definition of section 6. She submits that the Respondent appears to have made the arbitrary decision that all information that happens to be within the physical file of a child's medical records is automatically that child's health information and only that child's health information. 40She submits that the Respondent appears to be implying that because it believed that the information may have been simultaneously both the children's health information as well as her health information, then the obligations imposed on it by the HRIPA with regard to the children's health information applied, whilst the obligations imposed by the HRIPA and GIPA with regard to the Applicant's health information did not. The Respondent offers no support for this position. 41She says that it cannot be argued that the relevance of her health information to the health of the children causes the information to become the children's health information. There may, for example, be highly relevant and important health information contained within a person's parent's or grandparent's medical records, yet there is no provision within the HRIPA by which that health information can be reclassified as the health information of another and thus accessible to them without consent. Therefore, she submits, there is no lawful basis for determining that her health information becomes the children's health information, just because it is relevant, or even important, to them. 42She submits that there is no rationale as to what aspects of a parent's health information becomes transformed into the child's health information, other than whatever parental information happens to be captured in the child's medical records. This results in many aspects of the mother's health information becoming classed as the child's health information, whilst potentially equally valuable health information of the father and other relatives remains solely in their medical records, inaccessible to the child or her authorised representative. 43In the alternative, AJD submits that the Government Information (Public Access) Act 2009 ("the GIPA Act") required that the Respondent consult with her prior to releasing her health information. 44AJD submits that the conditions imposed by the GIPA Act upon the release of information under HPP 7 are imported into the HRIP Act and the Tribunal must take them into consideration when determining this matter. She says that her health information released by the Respondent met the criterion set out in section 54(1)(a) of the GIPA Act. It was information of a kind that requires consultation under that section. 45Further, she says that the health information met the criterion set out in section 54(1)(b). It was information where it appeared that "the person may reasonably be expected to have concerns about the disclosure of the information." She says that she reasonably held concerns about the release. She also says that it is apparent from a diary note of 24 February 2011 that the Respondent considered that she might have had concerns about the disclosure of her health information. Further, she says that the health information met the criterion set out in section 54(1)(c) in that her concerns may reasonably be expected to be relevant to the question of whether there is a public interest consideration against disclosure of the information. Pursuant to clause 3 of the table to section 14 of the GIPA Act: There is a public interest consideration against disclosure of information if disclosure of the information could reasonably be expected to have one or more of the following effects: (a) reveal an individual's personal information, (b) contravene an information protection principle under the Privacy and Personal Information Protection Act 1998 or a Health Privacy Principle under the Health Records and Information Privacy Act 2002 , ... 46Therefore, she submits, since disclosure would have revealed her personal information, the GIPA Act identified a public interest consideration against the disclosure of the Applicant's health information and the Applicant's concerns were relevant to this public interest consideration. Even if it was ultimately determined that the public interest considerations in favour of disclosure as set out in section 12 of the GIPA Act outweighed the public interest considerations in favour of non-disclosure of her health information, the GIPA Act does not provide for this decision to be made by the Respondent without consultation with the person to whom the information pertains, where consultation is practicable. 47AJD submits that consultation was practicable. At all relevant times, she lived in Sydney and was an outpatient of the Respondent. Her contact information was therefore readily available to the Respondent. 48AJD submits that since her health information was contained within the children's medical records, the Respondent was obliged to redact it from the records released; or, in the alternative, if it was determined that the information was also health information of the children, to consult with the Applicant prior to release in accordance with the GIPA Act. 49She submits that if the Respondent was going to release detailed medical information about her she should have been informed and given the opportunity to dispute the release of all the information. 50She stated that she is aware that her personal information has been disclosed to a number of people. She has no control over the use of her personal medical history.

The Respondent's case 51The Respondent concedes that it provided a copy of the children's medical records to the father as the children's representative. It says that the children lacked capacity by reason of age and so the request was made on their behalf by their father, who, as a person having parental responsibility for the children, was an authorised representative. Further, the Respondent says that it was obliged to provide a copy of the records to the father pursuant to HPP 7. It further says that in providing a copy of the medical records to the father, it complied with the NSW Health Privacy Manual. The Respondent denies that it had any secondary purpose for providing a copy of the medical records. It says that the purpose was to comply with HPP 7. 52Further, the Respondent says that it had no obligation to obtain AJD's consent to provide a copy of the children's medical records to the father; and that HPP 7 did not authorise or permit the Respondent to make the provision subject AJD's consent. The Respondent denies that it had any obligation to notify AJD that the father had applied for a copy of the medical records; to seek or obtain the permission of AJD to provide a copy of the medical records; or to ascertain any purpose for which the father had applied for a copy of the medical records. 53The Respondent says that information is not disclosed to a person within the meaning of the HRIP Act if the information is already known to the person. It does not admit that any information about AJD was disclosed to the father through the provision to the children's medical records. 54Further, the Respondent says it had no obligation to redact any part of the copy of the medical records provided to the father. 55The Respondent denies that it did not take steps to ascertain whether parenting orders for the children were in place; and says that no parenting orders were in place when it provided a copy of the medical records to the father. It denies that it has caused AJD to suffer any loss and does not admit that AJD has suffered any loss. 56The Respondent contends that the records released were the records of the children, not AJD's records. In support of that contention it refers to AFC v Sydney Children Hospitals Specialty Network [2012] NSWADT 189. At paragraphs [37] - [40] Judicial Member Molony stated: 37 The question of whether a given piece of personal information is properly regarded as health information or personal information is one that requires a decision maker to look at the relevant context, and not to be overly technical: JD v Medical Board (NSW) [2008] NSWADT 67 at [24]. 38 The Agency took the view that the nurses' notes contained health information, apparently because the information is found in the medical records of AFC's son. While I agree that this information is health information of AFC's son because it was collected in providing a health service for him, I am unable to agree that it is health information when considered as it relates to AFC. 39 The nurses' notes contain written observations of his behaviour and opinions concerning AFC. This is personal information relating to him. It does not, however, satisfy any of the elements of the definition of health information. It does not (a) relate to his physical or mental health; (b) concern his wishes relating to the provision of health services to him; (c) relate to a health service provided to him; (d) contain information collected in provided a health service to him; (e) contain information collected in connection with a donation; (f) contain genetic information; or (g) contain health care identifiers. 40 As a consequence I am satisfied that the information in the nurses notes relating to AFC is personal information to which the PPIP Act apples. This is one of those instances referred to by the authors of Robinsons, NSW Administrative Law Service (Thompson Reuters) when they commented at [70.40380] that - There are likely to be many instances where a document will contain both "personal information" which is not "health information" (thus invoking the jurisdiction of the PPIP Act) and "health information" (thus falling under the compass of the HRIP Act). 57The Respondent concedes that some of the health information of each child was also AJD's "health information" but says that there was no health information of AJD in the records that were released that was not also health information of the relevant child. 58The Respondent accepts that there would be a public interest consideration against disclosure if disclosure could reasonably be expected to reveal an individual's personal information. However, it submits that pursuant to section 54(1) the GIPA Act an agency is to consult on public interest considerations only if it is reasonably practicable and paragraph (a), (b) and (c) apply. 59The Respondent says that neither the HRIP Act or the GIPA Act require or permit notification or warning of this process. Further the Respondent does not concede that AJD would reasonably have been expected to have concerns about disclosure in this case because she provided the personal information for the purpose of provision of health services to the children (as well as to herself) and the information was being disclosed to the children through their authorised representative. 60The Respondent further submits that, even if AJD might reasonably have been expected to have concerns, those concerns could not reasonably be expected to be relevant to the question of whether there was a public interest consideration against disclosure of the information. This is because of the strength of the children's rights to their own health information. Any interest AJD might have in maintaining her privacy could not outweigh the public interest in disclosure to the children. 61The Respondent contends that the health information disclosed to the children was important health information. The children's access to their own health information could not be made subject to any privacy concerns of AJD. Further, pursuant to section 55 of the GIPA Act, an agency is entitled to take the personal factors of the application into account. The Respondent submits that here the personal factors are all in favour of providing the children with access to the information. 62The Respondent notes the definition of "health information" contained in section 6 of the HRIP Act and submits that it is unarguable that all of the information and the children's medical records is health information of the relevant child, including all of the information that AJD identified. It submits that at the very least, it is personal information collected to provide, or in providing, a health service to the child. 63In summary, the Respondent submits that the Tribunal should find that no HPPs have been breached.

The Privacy Commissioner's submissions 64In the Privacy Commissioner's view it is best practice to ensure that only information that relates to the individual concerned is held in a health record. That is, where a third party's information whether personal or health, is collected, it is included with their health information. 65If health information relates to another person it should be noted separately for the purposes of identification. Information relating to a third party (whether health or personal) should be redacted before it is released to protect the privacy of the third party. 66Mr McLaughlan, for the Privacy Commissioner, submitted that the onus is on a health service provider to comply with the HPPs when dealing with health information 67He submitted that in considering the application of section 6(b) of the HRIP Act in relation to this case, it is possible to determine and distinguish the health information that relates to each particular individual from any health information that is or may be shared (or relevant to both individuals), if any. 68Mr McLaughlan referred to the 'NSW Health - Health Care Records - Documentation and Management Policy Directive' dated 21/12/2012 issued by the Ministry of Health ("the Health Policy Directive"). The Health Policy Directive provides information as to the standards expected for health care records. It states: 2.2 Standards for documentation Documentation in health care records must comply with the following: ... p) Be relevant to that patient/client. q) Only include personal information about other people when relevant and necessary for the care and treatment of the patient/client. 3.2 Individual health care record An individual health care record with a unique identifier (eg unique patient identifier, medical record number) must be created for each patient / client who receives health care. Every live or still born baby must be allocated a unique identifier that is different to the mother. ... 69It is the Privacy Commissioner's submission that, consistent with the Health Policy Directive, while health information may overlap, it is possible to distinguish the health information of each individual. 70Mr McLaughlan submitted that an issue that relates to medical events that occurred before the child's birth cannot be the health information of the child. He submitted that, when determining whether health information is that of a particular individual, there should be consideration of the specific context and relevant facts. In this case the information in dispute can be attributed to one party or the other and is not the health information of both parties.

Discussion 71I agree with the Privacy Commissioner's submission that there needs to be consideration of the specific context and relevant facts. However, I do not agree that an issue that relates to medical events that occurred before the child's birth cannot be the health information of the child. Nor do I agree that the information in dispute can only be attributed to one party or the other and not both parties. 72AFC v Sydney Children Hospitals Specialty Network does not assist in relation to this issue as Judicial Member Molony did not need to address the question of whether health information could be attributable to two different individuals at the same time. 73In my view, to the extent that an individual's information was "collected to provide, or in providing, a health service" to their child, that health information could also be the health information of the child. 74For example, a mother's health information that relates to an illness or hereditary condition could be relevant to the provision of a health service to her child. In my view, that health information of the mother could also be the health information of the child. Similarly, if the information related to an illness or hereditary condition of the child's father, that information could also be the health information of the child. 75It is also my view that to the extent that a mother's conduct during a pregnancy has the potential to affect the child's health, the information could be relevant to the provision of a health service to the child. 76In my view, the information that is the subject of this application is AJD's health information. Several pieces of AJD's health information are involved. The issue at the centre of the dispute is the release of information that AJD suffered from a serious chronic illness. In my view, the information concerning AJD's illness was relevant to the provision of health services to the children and was reasonably collected for that purposes. It is clear from the records that a health service was provided to one of the children in relation to that illness. It is also clear that a health service was provided to one of the children in relation to another issue and that knowledge of another aspect of AJD's health information was relevant to the provision of that health service. 77To the extent that AJD's health information was relevant to the provision of those health services, it is my view that the health information was health information of both AJD and the children. 78It is not in dispute that the father was entitled to obtain a copy of the children's health records. It follows that there can be no breach of the HPP 11 disclosure provisions in providing the father access to the children's health records containing the children's health information. 79As noted above, AJD has identified her health information that was included on the children's records. By reference to the identified information, it is my view that the following is health information of both AJD and the children: 80[Not to be released except to the parties] 81It is also possible that some of this information was already known to the father and if that was the case there could be no breach of HPP 11 as the information had already been disclosed. 82I accept AJD's argument that the GIPA Act has some role to play in determining whether information should be released. I accept that because some of the information released was both AJD's health information and that of the children, section 54(1) of the GIPA Act required the Respondent to take such steps as were reasonably practicable to consult AJD before providing the father with access to information. However, in the circumstances it is my view that the public interest in the children being able to access their own health information is overriding. I agree with the Respondent that any interest AJD might have in maintaining her privacy could not outweigh the public interest in disclosure to the children. For this reason, it is my view that it was not reasonably practicable to consult AJD before providing the father with access to information. 83I note the Privacy Commissioner's reference to the Health Policy Directive and the requirement that health care records be relevant to the particular patient and only include personal information about other people when relevant and necessary for the care and treatment of that patient. 84In my view, some of AJD's health information that was included on the children's records was neither relevant nor necessary for the care and treatment of the children. By reference to the identified information, on the material before me I am unable to ascertain any relevance of the following information to the provision of health services to the children: 85[Not to be released except to the parties] 86I accept that in some circumstances the results of some tests undertaken by a mother could be relevant to treatment of a child. However, in the circumstances of this matter I have no material to establish such relevance. 87I again note that it is also possible that some of this information was already known to the father and if that was the case there could be no breach of the HPP 11. 88While I accept that some of AJD's health information was held on one or both of the children's records, I do not agree that the information takes on the status of being the children's health information merely from inclusion of the information on those records. In my view, in order to fall within the definition of "health information" in subparagraph 6(b) of the HRIP Act, the information must have relevance to the particular health service to be provided. 89Some of AJD's health information could never be relevant to any health service provided to the children. Therefore, it should not have been released with the children's records. 90I agree with AJD's submission that the Respondent was only authorised to release that part of the records that contained the children's health information. It was not permitted to release that part of the children's medical records that contained AJD's health information if it was not also the children's health information. 91Subsection 11(3) of the HRIP Act provides that an organisation must not do anything, or engage in any practice, that contravenes an HPP. I agree with AJD's contention that the Respondent has breached that provision by releasing AJD's health information. 92In the absence of any evidence with respect to the state of the father's knowledge, I also agree with AJD's contention that the Respondent disclosed some of her health information without her consent and in circumstances in which none of the provisions of HPP 11 were applicable. In my view, the Respondent has breached HPP 11 in relation to the release of that part of the children's medical records that contained AJD's health information that was not also the children's health information. 93I am also satisfied that by retaining AJD's health information on the children's health record, the Respondent failed to ensure the security of AJD's health information against unauthorised use and disclosure. 94To some extent the parties have address the question of what consequences should flow from these findings. I propose to allow further submissions in that regard and I also encourage the parties to attempt to reach agreement on the issue. 95In the circumstances, unless the parties are able to come to some agreement, the matter is to be listed for a further planning meeting to determine the future progress of the matter.

Order The matter is listed for a planning meeting at 2pm on 14 October 2014

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales. Registrar DISCLAIMER - Every effort has been made to comply with suppression orders or statutory provisions prohibiting publication that may apply to this judgment or decision. The onus remains on any person using material in the judgment or decision to ensure that the intended use of that material does not breach any such order or provision. Further enquiries may be directed to the Registry of the Court or Tribunal in which it was generated. Decision last updated: 02 September 2014

At a glance

Court

Decision date

Source

Judgment (8 paragraphs)

Parties

Cited By (1)