ALZ v WorkCover NSW

NCAT Administrative and Equal Opportunity|2014-08-29

reasons for decision 1The Applicant alleges that the Respondent's conduct contravened several of the Health Privacy Principles ("HPP"s) of the Health Records and Information Privacy Act 2002 ("HRIP Act") and also several of the Information Protection Principles ("IPP"s) of the Privacy and Personal Information Protection Act 1998 ("PPIP Act"). 2In these reasons the names of private individuals have been anonymised so as to preserve the privacy of their personal affairs. The Applicant is referred to as ALZ. At relevant times ALZ was employed by a local council ("the Council"). 3The background is set out in my decision reported as ALZ v WorkCover NSW [2014] NSWCATAD 49 ("ALZ v WorkCover No.1"). 4The conduct concerns a medical report dated 10 November 2011 ("the medical report") by a psychiatrist, Dr Prabal Kar. The medical report was prepared in relation to a workers compensation claim brought by ALZ against the Council. The workers compensation insurer which covered the Council for workers compensation claims was StateCover Mutual Limited ("StateCover"). StateCover and the Council were responsible for processing and managing ALZ's workers compensation claim. The Respondent obtained a copy of the medical report from the Council. 5At paragraphs [114] - [116] of ALZ v WorkCover No.1 I stated: 114 I agree with the Applicant that if the Respondent is uncertain about how many copies of the report are held, it cannot be said that it had taken reasonable security safeguards to ensure that the information was protected against loss. 115 I am satisfied that the security safeguards are reasonable in the circumstances insofar as they concern the copies of the medical report held in the Respondent's investigations database and in the Respondent's archives. I find no contravention of HPP 5 in regard to the security of this information. 116 However, further evidence is needed in regard to what other copies of the medical report are held by the Respondent and in regard to the security of this information for the purposes of HPP 5. 6The decision in ALZ v WorkCover No.1 is under appeal. On 27 June 2014 the Appeal Panel remitted the matter for a decision in relation to the issues that are unresolved and to which I referred at paragraph [116]. 7HPP 5 requires that personal health be securely housed and protected against loss or misuse. 8The parties have made submissions in relation to that issue. The Respondent has also filed a statement of Ms Susan Kelly, the Principal Lawyer in the Respondent's Safety, Return to Work and Support Advisings Branch.

Ms Kelly's evidence 9Ms Kelly gave evidence in regard to the steps that she took to ascertain what copies of the medical report are held by the Respondent and in regard to the security measures in place with respect to those copies. 10Ms Kelly's evidence is that she spoke with Inspector Dall by telephone regarding the copies of the medical report he had obtained, how the copies were stored, how they were distributed, and the security safeguards in place in respect of them and asked him to respond to a series of questions via email. She made the same enquiries and request of two persons who were identified as having received a copy of the medical report from Inspector Dall - the Respondent's Divisional Client Services Officer and an officer in the Respondent's Right to Information/Customer Experience Team. Ms Kelly annexed the responses from those officers to her statement. 11Ms Kelly ascertained that Inspector Dall obtained an electronic copy of the medical report from the Council on 15 December 2011. He stored the electronic copy on his computer, access to which was limited by way of password. Inspector Dall also printed out a hard copy of the medical report, which was placed with the documentation for ALZ's complaint report. The hard copy of the medical report printed by Inspector Dall was archived. Inspector Dall has now deleted the copy of the medical report that was initially stored on his computer. 12Inspector Dall provided the hard copy of the medical report to the Respondent's Divisional Client Services Officer. The hard copy of the medical report was initially in a tray on her desk and then placed on the relevant paper file and its receipt was recorded on the Respondent's TRIM system on 2 February 2012. The Client Services Officer did not pass on a copy of the medical report to anyone. 13Access to the office where Inspector Dall and the Client Services Officer are both located, is limited to staff who hold access cards. 14The electronic copy of the medical report that Inspector Dall forwarded to the Right to Information/Customer Experience Team and another copy of the medical report obtained from another officer within the Respondent are archived in a unique folder in the officer's Microsoft Outlook account. The medical reports are kept as they form part of evidence gathered during the initial Privacy Internal Review. Access to the officer's computer is limited by way of password. The officer did not pass on a copy of the medical report to anyone. 15The Respondent's evidence is that the medical reports were handled in accordance with the Respondent's normal procedure.

ALZ's Submissions 16ALZ does not agree that the Respondent's retention and security safeguards are reasonable. She contends that her health information has been widely circulated and is treated in the same manner as the other information Inspector Dall collected with no regard to her entitlements and that this does not meet the requirements of HPP 5. 17She submits that the Tribunal should consider whether the retention and security safeguards employed by the Respondent in December 2011-January 2012 were reasonable in the circumstances to ensure the protection of the medical report as required by HPP 5. She submits that if, on an objective evaluation, there is evidence that the medical report has been mishandled then the retention and security safeguards that the Respondent employed were not reasonable. 18ALZ submits that there is evidence that the Respondent has a Privacy Management Plan but that there is no evidence that the Respondent has any policies or procedures to govern the handling of health information. She further notes that there is no claim by the Respondent's officers that they have followed any such policy or procedure and indeed there is no evidence that they did. 19In regard to the Respondent's reliance on pass words, access cards and a locked cabinet as evidence of compliance with the requirements of HPP 5, ALZ says that these are normal work-place security measures for the protection of any information. They do not restrict access, or log access, to health information. She says that the Respondent has 3 different employees holding 5 copies of the medical report in insecure email accounts. 20She further submits that Ms Kelly's evidence does not address the issue of whether a further copy of the medical report was generated and stored in the 'sent items' email folder when a copy of the medical report was forwarded between officers of the Respondent. Further, there is no evidence as to whether, if it existed, such a copy has been deleted. 21Additionally, ALZ referred to evidence that Inspector Dall received emails on his Blackberry device. ALZ submitted that if Inspector Dall stored the medical report on his Blackberry, evidence is needed in regard to measure in place to protect such copies. 22ALZ contends that because of the lack of security safeguards applied to her health information, officers of the Respondent were able to access the information for a secondary purpose without her consent. She further submits that retention of the medical report in the Respondent's archives is a highly inappropriate and inadequate method of protecting health information from unauthorised access because it can be accessed by anyone who accesses the other documentation on the file. She submits that the Respondent's normal procedure suggests a lack of awareness of the need for better protection of health information in comparison to other information because of its sensitive nature. 23ALZ further submits that Ms Kelly's evidence does not explain what was involved in placing a record on the Respondent's TRIM system. She queried what security measures are in place in regard to any copies of the medical report created for that process. 24ALZ further submits that although the Client Services Officer didn't give a copy of the medical report to anyone, she filed it with the other information and made it available to other people. There is no evidence of who is permitted to access it, or any evidence of how many times it has been accessed, printed, saved on a computer, attached to an email etc. 25ALZ further submits that evidence about compliance with HPP 5 should include evidence that employees are trained and therefore aware of their obligations under the HRIP Act. She says that there is no evidence that any of the Respondent's employees who handled her health information have received any training on compliance with privacy legislation. 26ALZ asks the Tribunal to find that the measures employed by the Respondent for the protection of the medical report are not reasonable, and that the Respondent has contravened HPP 5.

Discussion 27As noted above, the issue remained for determination as to whether the security measures employed by the Respondent for the protection of the medical report satisfied the requirements of HPP 5. 28The Respondent relies on the evidence of Ms Kelly in regard to the number of copies of the medical report that are held. I agree with ALZ's submission that the evidence leaves many issues unanswered. 29I accept that it is possible that further copies of the medical report may have been created when it was forwarded by email within the agency. There is no evidence as to whether or not that is the case. In my view it is probable that the Respondent's mail system retains a record of sent items and that a copy of the medical report would have been stored in the 'sent items' email folder when a copy of the medical report was forwarded between officers of the Respondent. In the absence of evidence to the contrary it is my view that it is probable that such a copy would not have been deleted. 30I accept ALZ's argument that the Respondent may well have held more copies of the medical report than Ms Kelly has identified. 31The Respondent was required to take such security safeguards as were reasonable in the circumstances. The appropriate level of security required in relation to personal information will depend on both the nature of the information and the medium in which it is stored. In this matter the information concerns ALZ's psychiatric history and is therefore highly sensitive. The protection afforded to it should reflect that level of sensitivity. 32The issue of whether an agency has implemented reasonable safeguards has been considered in numerous matters. In MT v Director General, NSW Department of Education & Training [2004] NSWADT 194 I stated at paragraph [178]: "178 In some cases, it may be appropriate for the information to be widely available within the School in order to meet the purpose for which it was collected. In other cases, it may be that it is only appropriate for a small number of relevant staff to be aware of the information. The presence of medical records will often signal the need for greater confidentiality, although in some cases a student's medical condition may need to be known by all staff to ensure that appropriate responses can be made in an emergency." 33In MT at paragraph [180] I found that the failure to have a policy about handling personal information, a policy about restricting access, storing student files in a way accessible to all teachers, and lack of awareness or a system of staff training about privacy indicated a failure to take "such security safeguards as are reasonable in the circumstances". 34In MH v NSW Maritime [2011] NSWADT 248 at paragraph [160] the Tribunal was critical of a workplace culture which allowed the circulation of personal information inappropriately and considered that it was illustrative of a failure by the agency to take reasonable safeguards of documents which obviously contain personal information. 35In ZR v NSW Department of Education and Training [2008] NSWADT 199 at paragraph [125] I found that despite the absence of a formal policy regarding access policy, reasonable safeguards had been implemented in practice: "125 The filing cabinets in which student files were kept were locked at all times when not being accessed. The Senior Administrative Manager held the only keys to the filing cabinets. If staff needed to access a student's file they would ask the Senior Administrative Manager or another member of the administration staff to open the filing cabinet and access the information sought. Teachers were only permitted access to documents relating to a student's academic performance. 36In FH v Commissioner, NSW Department of Corrective Services [2003] NSWADT 72 the Tribunal's President considered a complaint brought by a former prison inmate whose conviction had been set aside after part of his sentence had been served. The matter concerned information retained on an active, rather than archival, system. In that case, the President noted at paragraph [41]: 41 ... It is not, as I see it, necessary to show that the security policies and practices are perfect or ideal in every respect. Where there are shortcomings, they have to be weighed in the balance alongside those aspects that are satisfactory. The significance of the shortcomings need to be assessed by reference to the degree of risk that they carry for intrusion into the privacy of the persons whose data is secured, and the potential gravity of the consequences of any intrusion if it were to occur. 37While the President considered that the absence of a 'log' to establish who had accessed files in a database was "less than adequate" and a "shortcoming" he found that the system on the whole possessed adequate security. 38In NS v Commissioner, Department of Corrective Services [2004] NSWADT 263 Judicial Member Higgins found that a database which included a user warning message constituted reasonable steps to prevent an unauthorised access. The warning message stated: "The information from the system now available to you is confidential and must NOT be disclosed to unauthorized persons under any circumstances, nor are you authorised to access such information for personal reasons". 39In this matter, there is no evidence that the Respondent has adopted any safeguards of the kind considered in these cases. In contrast, the evidence suggests that a casual approach was taken to the protection of the medical report e.g. a copy was initially placed in a tray on the Client Services Officer desk's and then in a file on her desk. 40As ALZ has observed, the pass words and access cards to which the Respondent refers are normal work-place security measures. They do not restrict access, or log access, to ALZ's health information in a way that reflects an acknowledgement that the information is highly sensitive. In my view it would have been reasonable to expect that a greater level of security would have been in place for the protection of the medical report. 41In regard to electronically held copies of the medical report, tracking read-only access to electronic files would have been a reasonable step to prevent unauthorised access. 42In my view, compliance with HPP 5 would also require the Respondent to have policies or procedures to govern the handling of health information and to ensure that its staff are trained and therefore aware of their obligations under the HRIP Act. 43In my view, the Respondent's failure to have in place adequate security safeguards, which would have been reasonable in the circumstances to protect against unauthorised access, constituted a breach of HPP 5. If policies or procedures are in fact in place, and staff have been trained in regard to their obligations under the HRIP Act, there is clearly a need for further training. 44In my view, the Respondent has contravened HPP 5. 45The parties have not made submissions with respect to what, if any, orders should be made in relation to the breaches. In the circumstances it is appropriate that the matters be listed for a further planning meeting so that a timetable can be set regarding the further conduct of the matters.

Order The matters are to be listed for a planning meeting at 3.00 pm on 14 October 2014.

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales. Registrar DISCLAIMER - Every effort has been made to comply with suppression orders or statutory provisions prohibiting publication that may apply to this judgment or decision. The onus remains on any person using material in the judgment or decision to ensure that the intended use of that material does not breach any such order or provision. Further enquiries may be directed to the Registry of the Court or Tribunal in which it was generated. Decision last updated: 29 August 2014

At a glance

Court

Decision date

Source

Judgment (6 paragraphs)

Parties

Cases Cited (1)

Cited By (11)