AOZ v Rail Corporation NSW

NCAT Appeal Panel|2015-08-19

Reasons For Decision

In 2013, the appellant applied to the Tribunal for review of the conduct of the respondent, RailCorp, in relation to the way it managed her personal health information in connection with a workers compensation claim. In that regard, RailCorp was required to observe the Health Privacy Principles (HPPs) laid down by the Health Records and Information Privacy Act 2002 (HRIP Act). She alleged various contraventions of the HPPs.
The Tribunal found that RailCorp had not contravened any of the HPPs put in issue, and dismissed the application: AOZ v Rail Corporation NSW [2013] NSWADT 239. The appellant appealed to the Appeal Panel. We dismissed the appeal, save in one respect: AOZ v Rail Corporation NSW [2014] NSWCATAP 76.
On that point, we extended the appeal to the merits, and made a finding that RailCorp had contravened HPP 4(2) (individual to be made aware of certain matters). We invited the parties to make submissions on the appropriate order. The timetable was set on 20 January 2015. It was later varied and extended, primarily at the request of the appellant. In that regard, on 18 March 2015, the presiding member refused an application by the appellant to reopen the entire appeal. The appellant filed her submissions, in the form of an affidavit, on 24 April 2015, and the respondent filed its submissions on 22 May 2015.
This decision deals with the question of the appropriate order.
By virtue of s 21 of the HRIP Act, the order-making power relevant to this case is found in the Privacy and Personal Information Protection Act 1998 (PPIP Act). Section 55(2) provides, relevantly: (2) On reviewing the conduct of the public sector agency concerned, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders: (a) subject to subsections (4) …, an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct, (b) an order requiring the public sector agency to refrain from any conduct or action in contravention of an information protection principle or a privacy code of practice, (c) an order requiring the performance of an information protection principle or a privacy code of practice, (d) an order requiring personal information that has been disclosed to be corrected by the public sector agency, (e) an order requiring the public sector agency to take specified steps to remedy any loss or damage suffered by the applicant, (f) an order requiring the public sector agency not to disclose personal information contained in a public register, (g) such ancillary orders as the Tribunal thinks appropriate. (3) Nothing in this section limits any other powers that the Tribunal has under Division 3 of Part 3 of Chapter 3 of the Administrative Decisions Review Act 1997. (4) The Tribunal may make an order under subsection (2) (a) only if: … (b) the Tribunal is satisfied that the applicant has suffered financial loss, or psychological or physical harm, because of the conduct of the public sector agency.

Background: Recapitulation

We will give a short summary of the background. Fuller accounts are found in the first instance decision and the primary appeal decision.
The appellant commenced employment with RailCorp as a transit officer in January 2004. In August 2004, she injured her back in the course of trying to apprehend an offender. RailCorp considered that the she had recovered from the injury by the end of 2005. She and RailCorp remained in dispute as to whether her later experience of back problems was compensable. RailCorp contended that this later experience was attributable to a long term degenerative condition that predated her employment. In 2013 the Workers Compensation Commission (WCC) rejected RailCorp's opinion, and found that she had suffered from exacerbations of back pain as a result of the 2004 injury, and continued to suffer from the effects of that injury. It granted her application (under s 60 of the Workers Compensation Act 1987) for a cost of treatment and expenses order.
At the heart of the appellant's complaint was the action of RailCorp in 2012 in preparation for the WCC hearing in obtaining, without her knowledge, all medical consultation records relating to her, dating back to 1999, from the two medical practices that she had regularly attended (a practice at Warringah which she had attended between 1999 and 2009, and a practice at Dee Why which she had been attending since 2010).
The appellant argued before the Tribunal that the collection of her past medical records had been overly broad, the use of them had been affected by the same deficiency, as had their disclosure to the WCC for its hearing. The Tribunal did not accept these submissions, referring primarily to the nature of the dispute which involved the difficult issue of whether ongoing pain was attributable to a workplace injury or was caused by an (admitted) degenerative condition personal to the claimant. The Tribunal also referred to consent authorities for collection that the appellant had given at various points of the original claim process and the subsequent claim process. The Tribunal found that RailCorp's collection of these records did not infringe HPPs 1 and 2 (standards governing the collection of health information), or HPPs 9, 10 and 11 (limitations on use and disclosure).
An important feature of personal data protection laws, of which the HRIP Act is an instance, is that collectors of personal data are required to provide information to individuals about: the extent and scope of their collection activities; about what they may do with that data; and how individuals can go about exercising their rights to see the information collected about them. These obligations seek to promote the goals of transparency and fairness in relation to the information management practices of collectors of personal data. HPP 4 of the HRIP Act deals with two sets of circumstances: those where the collector is collecting the data directly from the affected individual; and those where the collector is collecting the data from a third party (i.e. 'indirectly'). HPP 4(1) deals with direct collection; HPP (4(2) deals with indirect collection. The remaining sub-principles, HPP 4(3) to HPP 4(7) apply to both circumstances.
HPP 4(2) to (7) bear on this case. They provide: 4 Individual to be made aware of certain matters (2) If an organisation collects health information about an individual from someone else, it must take any steps that are reasonable in the circumstances to ensure that the individual is generally aware of the matters listed in subclause (1) [i.e. (a) the identity of the organisation and how to contact it, (b) the fact that the individual is able to request access to the information, (c) the purposes for which the information is collected, (d) the persons to whom (or the types of persons to whom) the organisation usually discloses information of that kind, (e) any law that requires the particular information to be collected, (f) the main consequences (if any) for the individual if all or part of the information is not provided.] except to the extent that: (a) making the individual aware of the matters would pose a serious threat to the life or health of any individual, or (b) the collection is made in accordance with guidelines issued under subclause (3) (3) The Privacy Commissioner may issue guidelines setting out circumstances in which an organisation is not required to comply with subclause (2). (4) An organisation is not required to comply with a requirement of this clause if: (a) the individual to whom the information relates has expressly consented to the organisation not complying with it, or (b) the organisation is lawfully authorised or required not to comply with it, or (c) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998), or (d) compliance by the organisation would, in the circumstances, prejudice the interests of the individual to whom the information relates, or (e) the information concerned is collected for law enforcement purposes, or (f) the organisation is an investigative agency and compliance might detrimentally affect (or prevent the proper exercise of) its complaint handling functions or any of its investigative functions. (5) If the organisation reasonably believes that the individual is incapable of understanding the general nature of the matters listed in subclause (1), the organisation must take steps that are reasonable in the circumstances to ensure that any authorised representative of the individual is aware of those matters. (6) Subclause (4) (e) does not remove any protection provided by any other law in relation to the rights of accused persons or persons suspected of having committed an offence. (7) The exemption provided by subclause (4) (f) extends to any public sector agency, or public sector official, who is investigating or otherwise handling a complaint or other matter that could be referred or made to an investigative agency, or that has been referred from or made by an investigative agency.
In its reasons the Tribunal at first instance said: 34 As discussed above, HPP 4 requires, amongst other things, that a person must be told why their health information is being collected, what will be done with it, and who else might see it. HPP 4(4)(a) provides that an organisation need not comply with its obligations under HPP 4 where the person has expressly consented to the organisation not complying with the requirements of the HPP. 35 The Applicant said that RailCorp only informed her solicitor approximately five months after the request and collection of her medical files. Prior to that, she was unaware they had been obtained in their entirety. Further, she contended, the WorkCover medical certificate consent does not support notifying an "injured worker" that an insurer can request, collect and store medical records in their entirety and outside scope of claim, nor does it fulfill functions under WorkCover legislation. 36 AOZ signed the consent on three WorkCover medical certificates in 2011 and the 2004 claim form. As a result she did not need to be further advised that RailCorp was collecting the information and RailCorp was not obliged to comply with HPP 4(2).
At the first day of hearing of the appeal, we expressed concern over the adequacy of the Tribunal's reasons in this regard. We noted that the decision did not explain how the texts of the consents that were given could be said to involve an express consent to non-compliance with the terms of HPP 4(2). We, in effect, extended the appeal to the merits on this point. We sought further submissions from RailCorp. We concluded as follows: Further Submissions 67 The appellant submitted that the principle of prior notice of the third party collections was not observed. She submitted that the WorkCover certificates she had signed do not constitute notices that comply with HPP 4. She contended that had she been informed that requests for all medical records were to flow from the authorisations she had given, she might have been able to seek an explanation, and question the necessity for the action. She drew an analogy with the rights that apply when subpoenas are issued (though the analogy is inexact, in that the right of objection is one conferred on the respondent to the subpoena not the person who may be the subject of the records to which the subpoena relates). She considered that should have provided her with a notice dealing separately with each of the matters (a) to (f). 68 RailCorp submitted that while the Tribunal's reasons on this issue were 'scant' the conclusion was not wrong. RailCorp noted, as we have above, that the wording of HPP 4(2) is less strict than the wording of HPP 4(1), the obligation under HPP 4(2) is to make the subject 'generally aware' of the matters to which paragraphs (a) to (f) refer. RailCorp submitted that the circumstances read allowed for a finding of compliance with HPP 4(2). 69 As we understand the submission, it is that she knew from the consent she signed that any medical or other health service provider she had seen might be contacted. So as practical matter she knew of the fact of collections from third parties of this kind, and necessarily because of her prior association she knew the 'the identity of the organisation and how to contact it', the matter to which paragraph (a) is addressed. She was not specifically informed by the RailCorp authorisations as to whether she was 'able to request access to the information' (the paragraph (b) matter). On the other hand the records were ones made by her health practitioners about her, and she had a right, in law, to access to them. The submission was that the authorisations met the requirement of paragraph (c) in that their content and the context in which they were provided defined 'the purposes for which the information is collected'. There was nothing in the authorisations addressing paragraph (d), 'the persons to whom (or the types of persons to whom) the organisation usually discloses information of that kind', but the submission as we understood it was that the context within which the material was obtained supplied the answer to that issue, and they were regulated by the practices of the workers compensation jurisdiction. Paragraph (e) was not addressed, but again the material was being obtained pursuant to a legal framework for the assessment, management and determination of claims. Finally, as to paragraph (f) the consequences of non-supply of the information would have been that her claim would not have proceeded as efficiently, and she would have understood that. 70 It is apparent that a number of assumptions and conclusions from surrounding circumstances have to be drawn in order to make a finding of compliance with HPP 4(2). In our view, analysis of this degree defeats the protective purpose of HPP 4(2). In our view the provision is one that requires of agencies a practice that clearly addresses the matters, in paragraphs (a) to (f) to the extent applicable and relevant. This was not a situation of an ad hoc event of collection of health information from third parties. It was a routine aspect of this area of administration of RailCorp. There should, in our view, have been a standard notice in place to address the matters to which HPP 4(2) refers. There was not. 71 In our view, the matters to which RailCorp referred to do not satisfy HPP 4(2). 72 The question then becomes whether one of the exceptions applies to exonerate RailCorp from compliance. For the reasons already given we do not think that the authorisations and consents relied upon, demonstrate that the appellant 'expressly consented' to RailCorp not complying with HPP 4(2). 73 The final submission of RailCorp relies on the exception at HPP 4(2)(b), i.e. 'the organisation is lawfully authorised ... not to comply with [a requirement of this clause]' 74 RailCorp argued that the practices it followed derived from the requirements of workers compensation law, in particular the two Acts (WCA and WIMWCA) and the WorkCover Guidelines for Claiming Compensation Benefits. We accept that the administration of workers compensation claims occurs within a complex legal framework informed by guidelines and similar instruments. We were provided with a copy of the Guidelines now in force (13 March 2012 edition, replacing the guidelines dated 17 April 2009). While these guidelines lay down a strict scheme of procedure for cases where a s 74 notice has been issued, they do not, in our view, displace the agency's obligation to comply with the requirements of HPP 4. Our attention was not drawn to any provision that prevented RailCorp from complying with HPP 4. 75 Our finding is that RailCorp failed to comply with HPP 4(2) by not taking reasonable steps to make the appellant generally aware of the matters listed in sub-clause (1). We should indicate, however and in reply to the appellant's submissions, that we do not regard the failure as a grave one in the circumstances of the case, as for reasons we have given above, some of the matters to which sub-clause (1) refers would, or ought reasonably have been known to her. … 77 We have made an adverse finding against RailCorp in relation to one aspect of the case. 78 We will reconvene for a short hearing to consider an appropriate order. The order-making powers range from an order 'not to take any action on the matter' to a variety of other orders, the most significant of which is an order for monetary compensation for proven financial loss, or proven psychological injury or physical harm because of the conduct of the organisation. See further, PPIPA, s 55.

Submissions as to Appropriate Order

Appellant. The appellant noted in her submissions that she had considered whether to put any expert evidence forward in relation to the harm she has suffered by not receiving any notice compliant with HPP 4(2).
As she has done throughout these proceedings, the appellant acknowledged that RailCorp was entitled to collect past treatment records about her, but she considered that it had exceeded what was reasonable in going beyond those records that related specifically to her back injury.
She expressed concern over the possible extent to which her medical history had been seen by staff of RailCorp and others, such as professional advisers, connected to the WCC litigation. She proposed as an appropriate order in these proceedings the following: for the insurer to send the records department/treating practitioner a copy of correspondence sent to injured worker notifying the practice and doctor that the injured worker has been informed of the collection.
She added that the adoption of this practice, together with the provision of the claimant's consent (here referring to the one provided to the insurer as part of the claims management process), 'will show evidence [to the recipient] that the request made is in line with the consent provided'.
She said that her discovery that all of her medical records had been uplifted, and given to RailCorp's advisers led her to look to find another medical practitioner in which she could place her trust and be assured of confidentiality. She said that had she been informed that her records were to be examined, she could have contacted the practices and had a say in what might properly be seen for the purposes of the litigation. She questioned our comment at [75] of our primary decision that we did not see the failure to provide a HPP 4(2) notice, as involving a grave breach, as some of the matters to which HPP 4(2) refers would, or ought reasonably, have been known to her.
She reiterated the point that had she known about the fact of this collection prior to the event she would have been able to contest its justification, purpose and scope with WorkCover, the agency with authority to deal with complaints over conduct that occurs in the workers compensation system. She said that 'with the subjective view' of the Appeal Panel that the failure is not considered 'grave', it made it difficult for her to nominate an appropriate amount in relation to financial compensation. She continued that, if she were to nominate an amount, it would be for a minimum of $10,000 for 'the excessive detriment and harm to my health and wellbeing'. She said: 'So much of what had occurred could have been avoided had I known about the collection of the full clinical notes'.
Respondent. RailCorp referred to systemic changes it had made in its practices in light of our finding of contravention of HPP 4(2). It submitted that no order of the behavioural or systemic kind permitted by paras (b) to (g) of s 55(2) needed to be made. As to the possibility of a financial compensation order of the kind permitted by para (a) of s 55(2), WorkCover suggested that any order should be at the lower end of the range, and no more than $3,000.RailCorp did not challenge the statements contained in her affidavit as to the distress she had felt, and why.
RailCorp provided the following information as to the changes that had been implemented: The agency managing workers compensation claims in relation to the respondent's employees, Transport for NSW (TfNSW), has undertaken a review of its processes in relation to the notification of collection of personal information. The following processes have been implemented: (a) Providing a privacy notice to workers compensation claimants which notifies them of the matters required by HPP 4(2). (b) The privacy notice has been distributed to all TfNSW agency employees who have an open workers compensation claims. (c) For any new workers compensation claims lodged, the privacy notice has been incorporated into initial letters which are generated within the first seven days of a new claim. (d) For any reopened claims, the privacy notice will be sent as an attachment to the initial letter to the claimant. (e) The workers compensation operational manual has been updated to include a section on privacy. (f) In March 2015, all workers compensation case managers attended a training session on privacy and the new procedures.

Assessment

The steps taken by Transport for NSW are commendable. They represent an intelligent, systemic response to the difficulty identified by this case.
The traditional processes used in litigation once proceedings have commenced are those of discovery or documents summonses (or 'subpoena'). They may impact unreasonably on the privacy interests of persons the subject of the documents. Those persons may get no opportunity to object if they are not parties to the proceedings and do not otherwise learn of the occurrence of these steps. A party is in a stronger position to object.
But in this instance even though the appellant was a party to the proceedings, but the process used bypassed the discovery/summons route and instead relied on the generalised consents found in claim forms. She did not get any specific notice that the consents were to be utilised in this way.
The result was that RailCorp collected personal information about her of a sensitive, personal kind in a sweeping way. She has, we consider, a well-justified sense of having been treated unfairly in that respect. Medical records may contain all sorts of details about an individual that go beyond the particulars of the matter about which the requester of the records is concerned. She, understandably, had concern over who in the organisation for which she had worked might have seen the full breadth of her records, how many copies were taken, who can still see them, and so on. Equally, we accept that it is a concomitant of disputes of the present kind (whether the injury the subject of the claim has a non-work origin, and is not attributable to a work event) that often there will need to be an inquiry of some degree by an employer or insurer into the private medical history of the claimant.
In approaching the question of whether a financial compensation order should be made, we have the difficulty (as the appellant candidly noted in her submissions) that there is no independent assessment from a professional expert that might assist the Tribunal in satisfying itself that the applicant has suffered 'financial loss, or psychological or physical harm, because of the conduct of the public sector agency'. But, as noted, her statements in that regard have not been challenged.
In the first case of a financial compensation order in this jurisdiction, RD v Department of Education and Training [2005] NSWADT 195, the Tribunal dealt with the issue in this way: 30 In this instance the preconditions to an award of damages have been satisfactorily met. 31 The Tribunal is satisfied, in terms of the requirement of para (b) of sub-s (4) of s 55, that 'the applicant has suffered ... psychological ... harm, because of the conduct of the public sector agency'. The report of Dr Dragutinovich suffices in that regard. 32 Equally it is clear that this error is only one factor contributing to the state of the applicant's present psychological condition. The gossip and rumour to which he referred at hearing was, it would seem, the major source of the psychological harm that he has experienced in recent years. On the other hand, the Tribunal accepts that he would have been, as he suggests, quite apprehensive in the lead-up to a HealthQuest interview, and the non-resolution of the problem once it became known on 23 February 2005 exacerbated his psychological condition. The Department's evidence did not explain why once the letter had been returned 'not known at address' (the internal review report refers to a Departmental officer's recollection of this problem - paras 12 and 13), some follow-up action was not taken. 33 … 34 The applicant's claim for damages is a modest one. There is sufficient evidence here to support an assessment of $2000 for psychological harm.
Other cases where damages award have been made in this jurisdiction include: GR v Department of Housing (No 2) [2005] NSWADT 301 ($4200); NZ v Director General, Department of Housing [2006] NSWADT 173 ($4000); JD v NSW Medical Health Board (No 2) [2006] NSWADT 345 ($7500); JD v NSW Dept of Health [2007] NSWADT 219 ($4500); WT v Auburn Council [2007] NSWADT 253 ($5000 each); FM and FN v Department of Community Services [2008] NSWADT 288 ($5000). In the federal jurisdiction in Re Rummery and Federal Privacy Commissioner [2004] AATA 1221 there was an award of $8000 for a 'serious breach' (the federal law has an open-ended damages provision).
In NK v Northern Sydney Central Coast Area Health Service (No.2) [2011] NSWADT 81 the Tribunal made an order for financial compensation in the maximum amount of $40,000. In this case the Tribunal drew on the detailed consideration of the principles found in HP v Hunter New England Area Health Services [2009] NSWADT 186. These are the main points:

damages are compensatory in that the applicant should be awarded such sums of money so as that he/she may be restored to the position that he/she would have been in but for the breach:…. However, this must also be viewed in the context of the $40,000 limit as provided for in the PPIP Act;
in measuring compensation the principles of damages as apply in tort law are a guidance but the ultimate guide is the wording of the PPIP Act and its objectives;
compensation should be assessed having regard to the complainant's reaction and not to the perceived reaction of the majority of the community or of a reasonable person in similar circumstances;
'psychological harm' in s.55(4) of the PPIP Act is intended to encompass situations where an individual suffered some impairment of the mental states and processes. These being conditions such as depression and anxiety.
even where an applicant is able to substantiate loss or damage as a result of conduct that contravenes an 'information principle' under the PPIP Act, an award of damages under that Act remains a discretionary one;
compensation for alleged financial loss and alleged psychological and physical harm can only be considered where the Tribunal finds that the alleged loss and harm was 'because of' or 'caused by' the contravening conduct of the respondent.

In this case, while we have no independent evidence of psychological harm, we are prepared to accept from the submissions and material filed by the applicant, and our assessment of her when she participated in the main appeal hearing, that she has suffered emotional distress and harm, along the lines that she has asserted, because of the aspect of the conduct of RailCorp in relation to which we have made a finding of contravention. In this regard, the indication given by RailCorp is also to be commended in that it has not resisted outright the making of some award pursuant to s 55(2)(a), and to that extent acknowledges that an award under s 55(2)(a), as qualified by s 55(2)(d), is not out of the question.
Equally, it is clear, we think that the appellant's distress has a wider compass than the aspect of RailCorp's conduct in relation to which we have found a contravention.
Further, as we noted in our earlier decision, some of the information to which HPP 4(2) is directed would, or should reasonably have been known to her, as an employee and as a workers compensation claimant. To that extent the failure to abide by HPP 4(2) is lessened, though we accept that any breach of HPP 4(2) is a serious matter (for the reasons given by the appellant).
We consider that $4,000 in a suitable award in the circumstances.
We have noted the steps taken by RailCorp. They address the relationship between the organisation and the employee. They do not address the further matter raised by the appellant's proposal - the provision of some proof to the recipient of the request for documents (such as a doctor) that the organisation holds an appropriate consent or has given an appropriate privacy notice. Nor do the steps address the difficult question of allowing the claimant some say in the making of a global request, and in relation to what passes from the recipient to the employer/insurer in response to a global request. These are significant issues. It is outside the scope of this decision to get into the details of how issues of this kind should be managed so as to uphold the goals of data protection laws, such as minimising intrusiveness into personal circumstances, especially health history, and in confining transfers of information to that which is relevant, necessary and lawful for the permitted purpose.
We are, therefore, not inclined to make an order along the lines sought by the applicant. The office of Privacy Commissioner is better placed to develop standards around matters of this kind. Similarly that office is better placed to check that the improvements that have now been made will continue into the future.
There is a power to make 'ancillary orders'. In addition, we do think that RailCorp should render a formal apology in writing to appellant for the distress caused to her by its contravention of HPP 4(2) in the circumstances of her case.

Order 1. That the respondent pay the appellant $4000 by way of financial compensation for the contravention found. 2. That the respondent render a formal apology in writing to the appellant for the distress caused to her by its contravention. I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales. Registrar DISCLAIMER - Every effort has been made to comply with suppression orders or statutory provisions prohibiting publication that may apply to this judgment or decision. The onus remains on any person using material in the judgment or decision to ensure that the intended use of that material does not breach any such order or provision. Further enquiries may be directed to the Registry of the Court or Tribunal in which it was generated. Decision last updated: 19 August 2015

At a glance

Court

Decision date

Source

Judgment (5 paragraphs)

Parties

Cases Cited (2)

Cited By (24)