The essential issue for this Tribunal is whether there has been a breach of s 12(c) of the Privacy and Personal Information Protection Act 1998 (Privacy Act) (and its health privacy analogue) when a public sector agency, in this case the respondent, loses a medical certificate, but the certificate's contents are not disclosed. For the reasons which follow, I conclude there is no such breach because there were in place security safeguards against loss which were reasonable in the circumstances.
The parties are to be given an opportunity to make submissions as to whether there can be any order other than dismissal in those circumstances.
[2]
Facts
The hearing of this matter, by consent of the parties, is on the papers. I have considered the material filed by each party. It is common ground that:
1. The applicant (now known as CLT) is employed by the respondent, and has made claims from time to time under the Workers Compensation Act 1987.
2. On 2 April 2013, at approximately 7:45 pm, for the purpose of making such a Workers Compensation Act claim, the applicant faxed a copy of her medical certificate to the respondent's Work, Health and Safety Directorate;
3. Although the Directorate received the faxed certificate, it cannot now locate it, and it is to be treated as 'lost'. However, there is no evidence that any unauthorised person has read or obtained the certificate as a result of its loss.
4. In those circumstances, the applicant asserts, and the respondent denies, that there has been a breach of s 12(c) of the Privacy Act which provides that "A public sector agency that holds personal information must ensure that … that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss…" That is, relevantly, in the same terms as Schedule 1, Clause 5(1)(c) of the Health Records and Information Privacy Act (Health Privacy Act) (those two norms can conveniently be described here as 'Information Privacy Principle 5'; or 'IPP 5').
The applicant was aggrieved as she considered that IPP 5 had been breached by reason of that loss, and she sought an internal review of the respondent's conduct under s 53 of the Privacy Act. By s 53(7) of the Privacy Act it is provided that:
(7) Following the completion of the review, the public sector agency whose conduct was the subject of the application may do any one or more of the following:
(a) take no further action on the matter,
(b) make a formal apology to the applicant,
(c) take such remedial action as it thinks appropriate (eg the payment of monetary compensation to the applicant),
(d) provide undertakings that the conduct will not occur again,
(e) implement administrative measures to ensure that the conduct will not occur again.
In this case the respondent found there was no breach of IPP 5.
The respondent applies to this Tribunal under s 55 of the Privacy Act. Section 55 confers jurisdiction to review the respondent's actions in relation to the alleged breach of IPP 5, and, by s 55(2):
(2) On reviewing the conduct of the public sector agency concerned, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders:
(a) subject to subsections (4) and (4A) [which imposes a 12 month limitation period and requires a finding that that 'the applicant has suffered financial loss, or psychological or physical harm, because of the conduct of the public sector agency'] an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct,
(b) an order requiring the public sector agency to refrain from any conduct or action in contravention of an information protection principle or a privacy code of practice,
(c) an order requiring the performance of an information protection principle or a privacy code of practice,
(d) an order requiring personal information that has been disclosed to be corrected by the public sector agency,
(e) an order requiring the public sector agency to take specified steps to remedy any loss or damage suffered by the applicant,
(f) an order requiring the public sector agency not to disclose personal information contained in a public register,
(g) such ancillary orders as the Tribunal thinks appropriate.
By consent of parties dated 16 February 2016, it was agreed that this Tribunal would first determine whether the respondent was liable for the alleged breaches of IPP 5 and then consider any remaining issues such as relief.
I have carefully considered the applicant's submissions and, for the reasons set out in the submissions of the Respondent filed 12 February 2016, they are misconceived. There have been earlier determinations by the Tribunal concerning claims made by this applicant. In particular, as was made clear by previous Tribunal decisions, although there are allegations of earlier, similar losses of medical certificates, the sole matter before me relates to the loss of the applicant's medical certificate dated 2 April 2013, and whether such loss involves a breach of IPP 5. Specifically, the question is whether the loss of the particular certificate demonstrates the respondent failed to ensure that it took "such safeguards as [were] reasonable in the circumstances against loss". I do not have regard to complaints about conduct which would be beyond my jurisdiction to consider.
[3]
IPP 5
The emphatic command in IPP 5 to 'ensure' the protection of personal information does not create a system of strict liability, because the statutory command is tempered by a requirement that the security safeguards against loss need only be reasonable in the circumstances. There are a number of relevant decided matters which explain what IPP 5 means.
In FH v Commissioner, NSW Department of Corrective Services [2003] NSWADT 72, when a former prisoner's criminal sentence was quashed, but the respondent did not remove the record of conviction that it held, O'Connor DCJ said at [41]:
These shortcomings in the system as they relate to ex-inmate data (the matter in issue in this case) could not, I consider, reasonably justify the conclusion that viewed overall the security system lacks adequate safeguards. It is not, as I see it, necessary to show that the security policies and practices are perfect or ideal in every respect. Where there are shortcomings, they have to be weighed in the balance alongside those aspects that are satisfactory. The significance of the shortcomings need to be assessed by reference to the degree of risk that they carry for intrusion into the privacy of the persons whose data is secured, and the potential gravity of the consequences of any intrusion if it were to occur.
In 2006, Spigelman CJ, speaking for the Court of Appeal in Director-General, Department of Education and Training v MT [2006] NSWCA 270 said at [46] in relation to the interpretation of s 62 of the Privacy Act:
Nothing in the text or the scope and purpose of the legislative scheme suggests that Parliament intended to impose absolute regulatory liability. Indeed, s 12(c) itself imposes an obligation only to adopt such "safeguards as are reasonable in the circumstances".
In 2008, in BE v University of Technology, Sydney [2008] NSWADT 139, where five letters between the applicant's husband and the Chancellor of the University (all of which contained his personal information and two of which contained his health information) went missing or were lost, Deputy President Handley stated at [79]:
I am satisfied … that UTS has reasonable security safeguards in place to protect personal information in its possession. Whilst UTS has been unable to account for the loss of the correspondence between BE and the Chancellor, there is no evidence that BE's personal information has been obtained by persons other than those referred to in the current matter.
In 2009, in the related matter of EN v University of Technology, Sydney (No. 2) [2009] NSWADT 193 the same Deputy President said at [66]:
That UTS lost the letters has already been conceded. At issue, is whether there has been a breach of section 12(c) of the PPIP Act and, in relation to two of the five letters containing EN's health information, a breach of HPP 5(1)(c). In my view, there is no doubt that UTS failed to properly secure these particular letters. However, as I stated in BE v UTS, there is no evidence that any personal or health information contained in the letters has been obtained by persons other than those involved in this matter. …the fact that UTS has lost personal/health information does not necessarily mean that section 12(c)(i) or HPP 5(1)(c) have been breached. It is a question of whether UTS had security safeguards in place that were reasonable in the circumstances to protect against such loss.
Finally, in XW v Department of Education and Training [2009] NSWADT 73 it was said that:
[67] [IPP 5] requires consideration of the nature of the information, which would include its sensitivity, and the consequences of loss …
[91] …in BE [it was said]… that loss of correspondence is not of itself evidence that security safeguards are inadequate. I agree. The test in s12 is an objective one, and focuses on whether security safeguards are reasonable "in the circumstances".
[92] … the "practical difficulties facing agencies need to be taken into account".
[4]
Evidence
Evidence has been received by the Tribunal on behalf of the respondent by Daniel Palmer, the Relieving Manager, Health and Wellbeing, in the Work, Health and Safety Directorate of the respondent.
He commenced that particular role in October 2013, but as of January 2013, was Leader, Injury Management and Senior Rehabilitation Officer. His evidence, which I accept as being within his knowledge (or upon which his opinion has weight), is not inherently unreliable and was not challenged by way of cross-examination by the applicant, (who has chosen to agree to a hearing on the papers), establishes the following.
The WHS Directorate has 40 staff and approximately 4-6,000 active workers' compensation claims each year, of which the applicant's is one. The Directorate operates within a secure, locked floor in a Sydney suburb, accessible only by electronic security cards, permitting access only to WHS Directorate employees and escorted visitors. The Directorate operates a computer-based case management system for workers compensation claims.
Necessarily, applicants for workers' compensation are required to provide information, including medical certificates, to the WHS Directorate. They had, and have four options for so doing:
1. Fax to one of three dedicated fax machines in the secure office;
2. An email sent to the relevant advisor, or to a more general claims email address;
3. Regular mail to street or post box of the Directorate; or
4. Provision to the line manager or supervisor of the employee in their own workplace for forwarding to the WHS Directorate, using one of those three methods.
Importantly, electronic copies or photocopies (in contrast to originals) are sufficient for medical certificates. In view of one of the contentions of the applicant that she wished to be able to send medical certificates by registered post, Mr Palmer explains the difficulty with that course, namely that if the addressee is a particular staff member, they or their authorised agent need to go in person to collect at the post office, and this is not practical given the overall staff workload.
When certificates are received within the secure area, staff are assigned to collect them and this occurs many times during the day. Documents which have been processed and scanned into the Directorate's secure case management system, are then placed into one of seven secure disposal bins, which are emptied regularly by a company contracted for that secure disposal purpose.
Although, on occasion, medical certificates might be identified as 'missing' or 'not received', that can be for reasons including misdirection by Australia Post, incorrect addressing of an email or fax, or an employee's doctor failing to send the certificate at all.
Approximately 500-750 medical certificates and related documents are received each week. There is no process to automatically acknowledge receipt and because of the volume and the disparate methods of receipt, it is not reasonably practicable to manually acknowledge all documents received. If possible, and if requested however, receipt may be acknowledged.
In addition, privacy training was and is provided to staff.
Mr Palmer was of the opinion that the processes were an effective means of supporting the claims and injury management process, while ensuring personal and health information was kept reasonably secure.
Turning then, to the circumstances of the applicant's certificate, there were no gaps in the date range of the operative medical certificates, which explains why the 2 April loss of the certificate was not earlier noticed. By the time that loss was identified on 24 May 2013 the fax activity log no longer contained records for 2 April and the certificate could not otherwise be found.
Mr Palmer's opinion was that the most likely explanation for the loss of a fax received on the secure fax machine, is that it was inadvertently placed in a secure disposal bin before being scanned; another possibility was that it was incorrectly saved in the case management system, or thirdly, there might have been a technical issue with the fax machine so that the certificate was not printed. Nevertheless, his evidence was that the certificate being lost in this way was an "extremely rare" occurrence.
For the reasons already set out, I accept all of his evidence, including his opinion evidence.
[5]
Consideration
Many of the submissions made by the applicant relate to alleged earlier losses of medical certificates by the respondent. There have been earlier rulings that those matters are outside the Tribunal's jurisdiction. I therefore do not propose to deal with them. Further, much of the submissions made by the appellant are irrelevant to the narrow issue whether, on the evidence, there has been a breach of IPP5.
It can be seen from the cases cited above that, in deciding whether safeguards against loss were reasonable in the circumstances, I must consider:
1. Whether the loss of the personal information resulted in its disclosure or misuse;
2. The sensitivity of the personal information involved;
3. The practical difficulties faced by the respondent in safeguarding the information; and
4. The significance of the shortcomings (if any) in the established circumstances.
My central focus is what systems were in place in April 2013.
[6]
Whether the loss of the personal information lead to its disclosure or misuse
There is no evidence of either disclosure or misuse of the certificate and I am not prepared to find that either has occurred given the evidence as to safeguards. The most likely occurrence is that either the certificate was inadvertently placed in a secure disposal bin before being scanned or (less likely) that it was incorrectly saved in relation to another claim in the secure case management system: in either case, there was human error. The third possibility is that the fax machine malfunctioned: a case of mechanical error. In every case, there are strong safeguards against disclosure and the lack of disclosure in this case is itself evidence of the general efficacy of those safeguards.
[7]
The sensitivity of the personal information involved
The certificate included the applicant's personal details (name, address, contact number, occupation), the date her injury was sustained, a brief description of how that injury occurred, her diagnosis, whether the doctor considered that her employment was a substantial contributing factor to the injury, and the doctor's assessment of her fitness for work.
Of course, that information is of some sensitivity and I accept that its loss is distressing to the Applicant.
[8]
The practical difficulties faced by the respondent
The evidence is that there are 4-6,000 active workers' compensation claims received each year, and about 3,000 receipts of information per month. As the respondent concedes, like any human system, it no doubt could be improved but the critical safeguard is that the certificates are received by fax and logged in a secure area. In this context, with limited resources, the system appears more than adequate. I accept that the registered post, and the individual receipt options are, as Mr Palmer explains, not practicable in the circumstances, but importantly, their absence does not indicate that reasonable safeguards are not in place.
[9]
The significance of any shortcomings and the reasonableness of the safeguards in the circumstances
Mr Palmer's evidence is that the loss of documents is extremely rare. Although loss of medical certificates and the information they contain could well result in a serious intrusion into the patient's/claimant's privacy if there was disclosure to unauthorised persons, I do not accept that there are systemic shortcomings. Rather, the cause of the loss here appears to have been human error, or possibly mechanical error. As shown by their absence here, every type of error carried with it negligible risk of misuse or unauthorised risk of disclosure.
Like every other employee entitled to the benefit of this IPP, the applicant was entitled to reasonable safeguards to protect her information from loss or misuse. Those reasonable safeguards existed in April 2013 and continue to exist.
[10]
Conclusion
It follows that there has been no breach of IPP 5 established on the evidence. Subject to hearing further from the parties, I am inclined to accept the respondent's submission that it is not appropriate to make any orders under s 55(2) of the Act.
I therefore order that:
1. Within 14 days of the date of this decision the applicant is to file and serve any evidence and submissions as to what relief should be granted; and
2. The respondent is to file its responsive evidence and submissions within a further 14 days. (Both parties should indicate whether they have any objection to the matter continuing on the papers and if not why not.)
I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.
Registrar
DISCLAIMER - Every effort has been made to comply with suppression orders or statutory provisions prohibiting publication that may apply to this judgment or decision. The onus remains on any person using material in the judgment or decision to ensure that the intended use of that material does not breach any such order or provision. Further enquiries may be directed to the Registry of the Court or Tribunal in which it was generated.
Decision last updated: 18 May 2016