In these reasons the name and address of the Applicant have been anonymised so as to preserve the privacy of their personal affairs. In these reasons the Applicant is referred to as EOE. I will refer to the relevant address as "X Avenue".
The Applicant seeks review of conduct which they allege amounts to a breach or breaches of the Health Records & Information Privacy Act 2002 ("HRIP Act"). These proceedings concern alleged breaches of the Health Privacy Principles ("HPPs") set out in Schedule 1 of the HRIP Act.
The Applicant's complaint is that the Hunter New England Local Health District ("the Respondent") sent a letter of offer for a medical procedure to the wrong postal address. The Respondent maintains that it sent the letter of offer to the address which the Applicant had provided to it.
[2]
The Complaint
The Applicant identified the conduct the subject of the review in the following terms:
1. The company disclosed my personal Information to another person by sending my personal health information to an unknown address.
2. Failure to protect my personal Information from being inappropriately accessed by someone else.
The Applicant described the complaint in the following terms:
1. collection of my personal or health Information;
2. security or storage of my personal or health Information;
3. accuracy of my personal or health information; and
4. disclosure of my personal or health information.
The Applicant identified the effects that the conduct had had on them to include:
1. anxiety and stress;
2. PTSD;
3. Absent from work;
4. Depression;
5. Breach on my human rights;
6. Lost the ability to control who can see or use information about me;
7. Don't feel safe; and
8. A Loss of trust with health professionals.
The Applicant also identified a number of effects that the conduct might have on them in the future to include:
1. Identity theft;
2. Stalking;
3. Harassment;
4. Access various websites;
5. Commit cybercrimes such as tax fraud;
6. Take banking information and make unauthorised withdrawals, purchases, and transfers;
7. Be robbed;
8. Suffer distress/depression/anxiety;
9. Suffer financial loss;
10. Damaging online reputation, and thus sabotaging career;
11. Gain admission to a educational (sic); and
12. Worried about future medical professional staff doing their jobs correctly and simply.
[3]
Background
In November 2020 EOE lodged an application for internal review with the Respondent in which they has alleged that the Respondent had breached a number of HPPs by sending a letter addressed to them at the wrong address ("the 3 June 2020 letter"). The letter was sent on or around 3 June 2020.
A chronology of events is set out in the internal review decision reasons. Ms Michelle Kirk, the Acting Manager of the Admission Service at John Hunter Hospital ("JHH") has also provided an affidavit dated 18 May 2021 in which she sets out a chronology of events. Annexures to Ms Kirk's affidavit support the chronology to the extent that documents are available. This chronology is summarised in the Respondent's written submissions.
The Applicant has provided copies of email chains between them self and staff of the Respondent. While these email provide the details of the communications I do not understand the chronology of events to be in dispute in any material way. As noted, the Respondent maintains that EOE provided the address of 38 X Avenue on 22 May 2020. EOE disagrees and maintains that they provided her address as 48 X Avenue.
The chronology indicates that:
1. On 21 May 2020, John Hunter Hospital ("JHH") received a request for admission for the Applicant;
2. On 22 May 2020, JHH staff called the Applicant to confirm their patient details. EOE's address was updated in the Patient Administration System, iPM ("the PAS") to 38 X Avenue;
3. On 25 May 2020, JHH Clinical Services sent a handwritten envelope to 48 X Avenue. Staff obtained this address during a telephone conversation with the Applicant and did not check it against the PAS.
4. On 3 June 2020, a letter of offer for an endoscopy was sent to the Applicant at 38 X Avenue, consistent with the contact details recorded for the Applicant in the PAS.
5. On 30 June 2020, the Applicant called JHH regarding her upcoming appointment. They stated that they had never received a letter of offer. Ms Kirk checked the Applicant's address in the PAS. The Applicant said that they thought it should be 48 X Avenue, not 38 X Avenue. The Applicant thought that they had previously received letters from the hospital to 48 X Avenue (presumably in reference to the envelope sent on 25 May 2020) but mentioned that they were unsure as it was their parents' address.
6. On 2 July 2020, the JHH Patient Representative, Jennifer Lamb, wrote to the Applicant regarding the complaint. Ms Lamb noted that the Applicant had provided the 38 X Avenue address when contacted by JHH in May 2020. Ms Lamb requested that the Applicant confirm her current address to ensure that correspondence could be sent to the right address.
7. On 5 July 2020, the Applicant replied to Ms Lamb, writing, "I am not confirming anything further as I've done this successfully in the past ... I didn't state 38 or 48 was the correct address.
8. On 11 July 2020, the Applicant wrote to the Respondent seeking a response to five questions relating to the alleged privacy breaches.
9. On 30 July 2020, JHH Patient Representative sent an email to the Applicant to confirm the issues to be addressed in their complaint.
10. On 3 November 2020, the Applicant wrote to the Privacy Officer at NSW Ministry of Health requesting an internal review of the matter. The Applicant identified the conduct the subject of the review in the following terms:
"The company disclosed my personal information to another person by sending my personal health information to [an] unknown address"; and
"Failure to protect my personal information from being inappropriately accessed by someone else".
[4]
The Internal Review
The Respondent undertook an internal review of the conduct. The internal review addressed the complaint that the Respondent had disclosed EOE's personal Information to another person by sending the 3 June 2020 letter to 38 X Avenue and that in doing so it had failed to protect EOE's personal Information from being inappropriately accessed by someone else.
The internal review considered the HRIP Act and specifically whether the Respondent had breached a number of HPPs, including:-
1. Collection of Health Information (HPP's 1 to 4);
2. Security of Health Information (HPP 5);
3. Accuracy of Health Information (HPP 9); and
4. Disclosure of Health Information (HPP 11)
The internal review determined that the Respondent had not breached any of the HPPs.
[5]
Applicable legislation
Section 11(1) of the HRIP Act provides that every "organisation" that is a health service provider or that collects, holds or uses health information is subject to that Act. The term "organisation" is defined in section 4(1) of the HRIP Act to include a public sector agency. The Respondent is a public sector agency.
Section 11(2) of the HRIP Act provides that an organisation to which the Act applies is required to comply with the HPPs that are applicable to the organisation. There is no dispute that the Respondent is an organisation to whom the Act applies and is required to comply with the HPPs which are set out in Schedule 1 of the HRIP Act. Section 11(3) of the HRIP Act provides that an organisation must not do anything, or engage in any practice, that contravenes a HPP.
The HPPs include principles in regard to the collection (clauses 1 to 4), retention and security (clause 5), access and amendment (clauses 6 to 8), use (clauses 9 and 10) and disclosure (clause 11) of a person's health information.
Section 21(1) of the HRIP Act makes provision for complaints to be made against a public sector agency in regard to conduct which is alleged to be a contravention of a HPP that applies to the agency. Such complaints are made pursuant to Part 5 of the Privacy and Personal Information Protection Act 1998 ("the PPIP Act"), and for that purpose a reference in Part 5 of the PPIP Act to "personal information" is to be taken to include "health information": section 21(2) HRIP Act.
The term "health information" is defined in section 6 of the HRIP Act in the following terms:
6 Definition of "health information"
In this Act, health information means -
(a) personal information that is information or an opinion about -
(i) the physical or mental health or a disability (at any time) of an individual, or
(ii) an individual's express wishes about the future provision of health services to him or her, or
(iii) a health service provided, or to be provided, to an individual, or
(b) other personal information collected to provide, or in providing, a health service, or
(c) other personal information about an individual collected in connection with the donation, or intended donation, of an individual's body parts, organs or body substances, or
(d) other personal information that is genetic information about an individual arising from a health service provided to the individual in a form that is or could be predictive of the health (at any time) of the individual or of a genetic relative of the individual, or
(e) healthcare identifiers,
but does not include health information, or a class of health information or health information contained in a class of documents, that is prescribed as exempt health information for the purposes of this Act generally or for the purposes of specified provisions of this Act.
Section 5 defines "personal information":
(1) In this Act, personal information means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.
…
Personal information is defined in the same terms in subsections 4(1) and (2) of the PPIP Act.
Part 5 of the PPIP Act makes provision for the review of conduct of a public sector agency. Section 52 defines "conduct" to include the contravention of an information protection principle that applies to a government agency. These information protection principles are set out in Part 2 of the PPIP Act and include principles in regard to the collection, retention and security, access, alteration, accuracy, use and disclosure of personal information: sections 8 to 19 of the PPIP Act. As mentioned above, section 21(2) of the HRIP Act provides that for the purposes of Part 5 of the PPIP Act, a complaint made about conduct of an agency that contravenes a HPP, is also conduct falling within that Part.
A public sector agency is generally prohibited from disclosing personal information that it holds. Some exceptions apply to that general prohibition. Section 18 of the PPIP Act provides:
18 Limits on disclosure of personal information
(1) A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless:
(a) the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or
(b) the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or
(c) the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.
(2) If personal information is disclosed in accordance with subsection (1) to a person or body that is a public sector agency, that agency must not use or disclose the information for a purpose other than the purpose for which the information was given to it.
The essence of disclosure of information is making known to a person information that the person to whom the disclosure is made did not previously know: see Nakhl Nasr v State of New South Wales; George Nasr v State Of New South Wales [2007] NSWCA 101 at paragraph [127].
Section 53 of the PPIP Act gives a person aggrieved by the conduct of a public sector agency the right to seek internal review of that conduct by that agency. By reason of section 21(1) of the HRIP Act, this right extends to conduct which is alleged to be a contravention of a HPP that applies to that agency.
Section 55 of the PPIP Act makes provision for a person dissatisfied with the findings of an agency, or the action taken by an agency, in regard to that person's internal review application, to seek external review of the conduct complained of. On review, the Tribunal's powers to take action are specified in section 55(2):
55 Administrative Review of Conduct By Tribunal
...
(2) On reviewing the conduct of the public sector agency concerned, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders:
(a) subject to subsections (4) and (4A), an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct,
(b) an order requiring the public sector agency to refrain from any conduct or action in contravention of an information protection principle or a privacy code of practice,
(c) an order requiring the performance of an information protection principle or a privacy code of practice,
(d) an order requiring personal information that has been disclosed to be corrected by the public sector agency,
(e) an order requiring the public sector agency to take specified steps to remedy any loss or damage suffered by the applicant,
(f) an order requiring the public sector agency not to disclose personal information contained in a public register,
(g) such ancillary orders as the Tribunal thinks appropriate.
An order for compensation for alleged financial loss and alleged psychological and physical harm can only be made where the loss and harm was because of the agency's conduct. The Applicant bears the onus of establishing that there is a causal link between the privacy breach and the damage allegedly suffered: APV v Department of Finance and Services [2016] NSWCATAD 168 at paragraph [42].
In NW v NSW Fire Brigades (No 2) [2006] NSWADT 61 O'Connor DCJ stated at paragraphs [20] - [24]:
20 ... In my opinion, the contravention does not have to be the only 'cause' or the most immediate 'cause' of the financial harm of which the applicant complains. ...
21 The 'but for' test to which the applicant has referred, as the way of judging whether a causal link is established was mentioned in FM v Vice Chancellor, Macquarie University [2003] NSWADT 78 (16 April 2003) (set aside in part by the Appeal Panel, and wholly by the Court of Appeal in Vice-Chancellor Macquarie University v FM [2005] NSWCA 192; but not affected in relation to this point). The Tribunal said:
'103 The requirement that any loss or damage be "because of" the conduct reflects the common law requirement that the damage must be caused by the conduct in question. The "but for" test is generally applied to torts and is relevant to these proceedings. Pursuant to the "but for" test, the conduct caused the damage if that damage would not have occurred without (but for) it. (March v Stramare [1991] HCA 12; (1991) 171 CLR 506.) In other words, did the conduct in question make any difference to the outcome?'
22 Some care should be taken, as I see it, in drawing strict analogies with the common law principles as they have developed in the law of torts and the law of contract.
23 In my view the award of statutory damages in Privacy Act matters remains a discretionary one even where a causal link sufficient to satisfy s 55(4). That the position under this statute is less automatic is reflected, I consider, in the language of the opening words of s 55(2):
'On reviewing the conduct of the public sector agency concerned, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders' (Emphasis added).
24 These words do not preclude the possibility that the Tribunal might find a contravention, might find a causal link between the contravention and harm suffered and make no order. The matter of what to do after reviewing the conduct is left entirely to the Tribunal. Then if it is minded to make an order involving payment of damages the rule in s 55(4)(b) comes into play. It does not follow that if a causal link to satisfy s 55(4)(b) is found that the Tribunal must award damages. It still remains a discretionary matter. As I see it, there is no 'right' to compensation in the way that might be the case under common law principles in tort and contract.
In these proceedings the relevant personal information is EOE's identity and the information concerning their medical appointment.
It does not appear to be in dispute that the Respondent collected, retained and used EOE's personal information in arranging for a medical procedure. EOE did not complain about the Respondent's use of their personal information. EOE's complaint was in regard to the disclosure of their personal information and the failure to protect their information. The alleged breaches are said to be the result of inaccuracy of the recorded address.
HPP 2 provides:
2 Information must be relevant, not excessive, accurate and not intrusive
An organisation that collects health information from an individual must take such steps as are reasonable in the circumstances (having regard to the purposes for which the information is collected) to ensure that -
(a) the information collected is relevant to that purpose, is not excessive and is accurate, up to date and complete, and
(b) the collection of the information does not intrude to an unreasonable extent on the personal affairs of the individual to whom the information relates.
HPP 9 provides:
9 Accuracy
An organisation that holds health information must not use the information without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading.
HPP 11 provides:
11 Limits on disclosure of health information
(1) An organisation that holds health information must not disclose the information for a purpose (a secondary purpose) other than the purpose (the primary purpose) for which it was collected unless -
(a) Consent
the individual to whom the information relates has consented to the disclosure of the information for that secondary purpose, or
(b) Direct relation
the secondary purpose is directly related to the primary purpose and the individual would reasonably expect the organisation to disclose the information for the secondary purpose, or
Note -
For example, if information is collected in order to provide a health service to the individual, the disclosure of the information to provide a further health service to the individual is a secondary purpose directly related to the primary purpose.
…
[6]
The Applicant's case
EOE provided submissions and a significant amount of material in support of their claim. This included copies of email and texts that show communications between EOE and staff of the Respondent. They also attended the hearing and gave evidence.
EOE gave evidence that on either 21 or 22 May 2020 they contacted the Respondent and changed their address to 48 X Avenue. They subsequently received a letter sent to 48 X Avenue. The letter contained forms for an endoscopy appointment.
They later received a text about an appointment. They were informed by a staff member of the Respondent that a letter had been sent to 38 X Avenue. They were greatly concerned as the letter had been sent to the wrong address and it contained their personal information. They became concerned about their privacy.
With respect to the Respondent's evidence that its' records had been changed on 21 or 22 May 2020 to 38 X Avenue EOE noted that they had received mail at 48 X Avenue after those dates.
EOE contends that the Respondent has breached the HRIP Act by sending mail to the wrong address. They are concerned that unknown persons have been provided information regarding name, date of birth, and Medicare number. EOE is concerned that the information could be misused and submits that there should be consequences to the Respondent for the mistake.
EOE contends that there is inconsistency in the Respondent's material. For example the Internal Review decision states that a "leaflet was sent to the applicant on 21 May, 2020 to [38 X Avenue]" whereas Ms Kirk's evidence is that the Respondent's Patient Administration System records were not changed until 22 May 2020 to record EOE's address as 38 X Avenue.
EOE submits that there is no evidence that they rang and asked for the change of address to 38 X Avenue. EOE further submits that if they had requested a change of address to 38 X Avenue it makes no sense that a letter would be sent to 48 X Avenue a few days later.
In her complaint EOE identified the following as actions that they wanted the Respondent to take in relation to the conduct:
1. apology and acknowledgement of the effects this has caused and may potentially cause;
2. placing an alert on the electronic health file which comes up when the file is accessed to indicate that caution is required when releasing information to third parties;
3. any expenses paid if EOE suffers consequences in the future which are caused by her personal information being released;
4. more training of staff on how to have a friendly approach in regards to privacy concerns; and
5. investigation feedback on how and why this mistake occurred.
[7]
The Respondent's case
The Respondent relies on the evidence of Ms Kirk. As noted, Ms Kirk provided affidavit evidence and also attended the hearing and was cross-examined. The Respondent's solicitor, Mr Allchurch, provided both written and oral submissions on behalf of the Respondent.
[8]
Ms Kirk's evidence
Ms Kirk provided evidence based on her personal knowledge and also from information that has been recorded on the Respondent's patient records system.
Her evidence is that she was consulted when EOE was speaking to a bookings clerk and was upset about the mail going to the wrong address. In her affidavit she stated:
On 22 May 2020, Sara Smith, admissions clerk, called [EOE] to confirm [their] patient details. This is standard practice when a new request for admission is received. When an admissions clerk contacts a patient to update their records, they have iPM [the Patient Administration System] open on a computer in front of them and they enter that information directly into iPM while they are speaking to the patient.
Ms Kirk said that she spoke with Ms Smith and that Ms Smith confirmed that she had followed the usual procedure in amending the record of EOE's address.
On 30 June 2020 Ms Kirk wrote to Jennifer Lamb, patient Representative, in the following terms
The Booking Clerk in Endoscopy received a phone call today by [EOE].
Below is a brief outline but I will contact you Wednesday morning to discuss, as I am not sure how to respond.
[EOE] called as [they] had received a txt message advising [them] of a TG date of the 7th July.
[EOE] advised [they were] not happy as this was the only time [they] had been notified of the TCI date and did not believe it was appropriate for a patient to be dated without prior confirmation.
I spoke with [EOE] and explained that as a booking process patients do get dated in the future and a letter sent out or if it is short notice a phone call to advise. Notes in the waiting list indicate the patient had been left messages + SMS to confirm date on numerous occasions as well as a letter of offer sent on the 3rd June.
[EOE] stated they had never received a letter of offer, I checked the address with the patient and [they] stated [they think] its 48 not 38 [X Avenue]. I advised and sent [EOE] a copy of the letter that was sent to 38 X Avenue, the address appears to be updated on the 21/5 when contacted by the Admission Clerk to check details. [EOE] said [they] thinks [they] had received letters from the hospital to 48 [they] did mention it was [their] parents address so [they] wasn't sure.
I have contacted IT to investigate; they have advised that it does not show anywhere that the address was at any time number 48.
Under cross-examination, Ms Kirk agreed that Ms Smith may have inserted the wrong address into the system as human error is a possible explanation.
Ms Kirk said that if the Patient Administration System recorded EOE's address as to 38 X Avenue it would not allow a letter to be sent to her at 48 X Avenue. EOE's address has never been listed as 48 X Avenue in the system. The hand-written address on a letter sent to 48 X Avenue after the address was recorded on 22 May 2020 was sent from the Respondent's gastroenterology area. Ms Kirk could not explain how the sender obtained the address as 48 X Avenue. She was not aware of how the gastroenterology area records system operated or whether it operated under the same the Patient Administration System.
In regard to EOE's request that an alert be placed on the Respondent's system Ms Kirk stated:
On 14 May 2021, Greg Jackson, Manager Records Privacy & Cyber Security, Hunter New England Local Health District, Renae Lines, Revenue & Patient Services Manager, Hunter New England Local Health District and I discussed the possibility of an administrative alert being placed on iPM to notify persons accessing [EOE's] information to take additional steps to verify [their] identity if speaking to someone purporting to be [them]. On 18 May, 2021, I was informed by Greg Jackson that an alert of that nature has now been placed on iPM.
[9]
Submissions
Mr Allchurch submitted that the Internal Review statement that a "leaflet was sent to the applicant on 21 May, 2020 to [38 X Avenue]" is probably a typographical error and it should have indicated that the leaflet was sent on 22 May 2020.
The Respondent submits that there could not have been a breach of the HRIP Act in regard to the letter that was sent to the Applicant at 48 X Avenue as it was correctly sent and it was not raised in the internal review request.
It contends that the core of the dispute is whether the Applicant provided 38 X Avenue or 48 X Avenue as their address. The contemporaneous record made by Ms Smith recorded the address as 38 X Avenue not 48 X Avenue.
The Respondent maintains that EOE provided the address of 38 X Avenue when they spoke to Ms Smith on 22 May 2020. EOE disagrees and maintains that they provided their address as 48 X Avenue.
The Respondent submits that there is a practical onus on a party who raises a specific fact for consideration to prove the existence of that fact. It relies on views expressed by the Appeal Panel in Collins v Department of Fair Trading [2019] NSWCATAP 199 at paragraph [47]:
It is well established that, in undertaking its task, the Tribunal must consider the matter afresh, and neither party bears an onus of proof, though there will be occasions on which one party is in a better position than the other to address a specific factual matter. (see Minister for Immigration and Multicultural and Indigenous Affair v QAAH of 2004 [2006] HCA 53; (2006) 231 CLR 1 at [39]- [40]. There is a practical onus on the party who raises a specific fact for consideration to prove the existence of that fact (see Re Holbrook and Australian Postal Commission (1983) 5 ALN N 46).
The Respondent further submits that if the Tribunal is left in a state of uncertainty about a fact in issue, it ought to find against the Applicant. In KP v Narrandera Shire Council [2011] NSWADTAP 15 the Appeal Panel stated at paragraphs [26] -[31]:
26. Ordinarily, if a court or tribunal is left in a state of uncertainty in relation to a matter, then the issue will be decided against the party who bears the legal burden of proof. The terms 'evidential burden' and 'tactical burden' of proof have been the source of some confusion. CR Williams has succeeded in clarifying the various ways in which those terms have been used and we have adopted his preferred terminology: Williams CR, Burdens and Standards in Civil Litigation (2003) Sydney Law Review 9. The evidential burden, sometimes called 'the duty of producing evidence', most commonly arises in the context of trial by jury. The judge may decide not to leave an issue to the jury if the party with the evidential burden of proof has not produced sufficient evidence to raise an issue as to the existence or non-existence of a fact in issue. In cases where there is no jury, the evidential burden is merely the burden of producing evidence on any issue. The general rule in civil cases is that the party who has the legal burden also has the evidential burden.
27. Neither the ADT Act nor the PPIP Act attributes a legal burden of proof to any party. That situation may be contrasted with the situation under the Government Information (Public Access) Act 2009 (GIPA Act). The burden of establishing that a decision made under that Act is justified lies on the agency. However, in relation to a decision to provide access to government information, the burden of establishing that there is an overriding public interest against disclosure of information lies on the applicant for review: s 105. In the absence of any express legislative provision in the PPIP Act, the relevant provisions must be interpreted in context to determine whether there is a legal burden of proof and, if so, where that burden lies.
28. In NS v Commissioner, Department of Corrective Services [2004] NSWADT 263, the following discussion of this issue appears at [32] and [45] to [46]:
32 The Deputy Privacy Commissioner also submitted that there was no rule that the applicant bears an onus of proof in reviews of conduct under the PPIP Act and in this regard relied on the decision of GV v Officer of the Director of Public Prosecutions [2003] NSWADT 177. They went on to submit that if such an onus was to be placed on an applicant then applicants would be greatly disadvantaged as they do not have any knowledge of the way the agency manages the personal information it holds and they are therefore not in the same position as the agency to ascertain the exact nature of the conduct complained about.
....
45 I agree with the submissions of the Deputy Privacy Commissioner in respect of onus of proof. The Appeal Panel recently adopted such an approach in KO v Anor v Commissioner of Police, New South Wales Police (GD) [2004] NSWADT 21 at [40 to 43].
46 In GR (at [35] and [36]), the Appeal Panel adopted observations made by the Australian Law Reform Commission in its report entitled "Managing Justice: A Review of the Federal Civil Justice System" in respect of merit review by the tribunals as applying equally to a review under s.55(1) of the PPIP Act. These observations expressly stated that in a merits review "neither the applicant nor the respondent agency carries a burden of proof to prove or disprove a fact".
29. This analysis does not resolve the question of what the Tribunal should do if left in a state of uncertainty in relation to a fact in issue after reviewing all the available evidence. It was said by the Federal Court in a landmark decision in 1984 that the notion of onus of proof is not directly relevant to administrative proceedings where a tribunal, such as the Administrative Appeals Tribunal, is not bound by the rules of evidence and may inform itself as it thinks fit: McDonald v Director-General of Social Security [1984] FCA 57; (1984) 1 FCR 354 at 358; [1984] FCA 57; 6 ALD 6 at 11 per Woodward J. In particular it was held "there can be no evidential onus of proof in proceedings before the AAT unless the relevant legislation provides for it, and in the present case the Social Security Act 1947 does not." Nevertheless, Woodward J acknowledged that if the AAT, "finds itself in a state of uncertainty after considering all the available material … it will be necessary for it to analyse carefully the decision it is reviewing." Depending on the terms of the legislation, the issue must be resolved one way or the other.
30. The nature of the Tribunal's role under the PPIP Act is, so far as we are aware, unique. The Tribunal is not merely an executive decision maker as the AAT was in McDonald. While the Tribunal is exercising its review jurisdiction when determining whether certain conduct amounts to a contravention of an Information Protection Principle, it is exercising judicial power when determining whether to take no action or grant the relief available under s 55(2) including damages and mandatory and prohibitory injunctive relief: PPIP Act, s 55(2)(a)(b) and (c). Those functions are analogous to functions exercised by judges and other decision makers in civil proceedings before courts and tribunals, where an applicant is seeking to assert his or her rights.
31. Given the nature of the review under the PPIP Act, and the absence of any provisions attributing onus to either party, if left in a state of uncertainty in relation to a fact in issue, that fact should be decided against the applicant.
In relation to HPP 2 the Respondent submitted:
HPP 2 does not require an agency to ensure that the information it collects is accurate - it requires the agency to take such steps as are reasonable in the circumstances to ensure that the information it collects is accurate. The Respondent submits that, by obtaining the applicant's address directly from the applicant, no further steps were required to be taken in the circumstances to ensure the accuracy of that address. That is, it is plainly reasonable to rely on the applicant to provide [their] address correctly.
That an agency is generally entitled to assume the accuracy of information provided by the individual to whom it relates is supported by HPP 3, which requires organisations to collect health information about an individual from that individual, unless it is unreasonable or impracticable to do so.
[T]his dispute is a factual one as to the conversation of 22 May 2020. The Respondent submits that the Tribunal cannot be satisfied that the applicant provided [their] address as [48 X Avenue]. At the highest, the Respondent submits that the Tribunal would be satisfied that they provided the [38 X Avenue] address. At the least, the Respondent submits that there is a state of uncertainty, such that the Tribunal should find against the applicant: KP.
As set out in the Kirk Affidavit … the PAS indicates that the applicant's address was updated to [38 X Avenue] on 22 May 2020. That was a contemporaneous change that was entered into the PAS while Ms Smith was talking to the applicant...
On the basis of the evidence before the Tribunal, the Respondent submits that there is a basis for doubting that the applicant knew [their] address with precision at the time they provided it to JHH staff on 22 May 2020. The evidence also indicates that the applicant does not clearly recollect which address they provided to JHH staff. On 30 June 2020, the applicant spoke to Ms Kirk …
"[EOE] said they had received letters from the hospital to 48 they did mention it was her parents address so … wasn't sure".
The Respondent submits that this lack of certainty as to the correct address on 30 June 2020 is consistent with the applicant providing the wrong address on 22 May 2020.
This uncertainty was further demonstrated by the applicant's refusal to confirm her address on 5 July 2020. The applicant wrote,
"I didn't state 38 or 48 was the correct address"
... Even in the course of attempting to resolve [their] complaint, the applicant's communications with the Respondent indicated an uncertainty as to [the] correct address.
The materials which the applicant has filed with the Tribunal do not resolve that uncertainty. As part of [their] evidence, the applicant has filed various email communications between [EOE] and the Respondent. However, the applicant has not provided any evidence as to the contents of [their] conversation with JHH staff on 22 May 2020. The Respondent submits that the Tribunal cannot be satisfied that the applicant told the Respondent the correct address on 22 May 2020.
In relation to HPP 9 the Respondent submitted:
In the event that the Tribunal considers that HPP 9 was engaged, the Respondent submits that its conduct did not breach HPP 9. As with HPP 2, the obligation on the Respondent was not to ensure the accuracy of the information, but to take such steps as are reasonable in the circumstances to ensure its accuracy before use.
The letter of 3 June 2020 was sent based on the applicant's record in the PAS, which was updated on 22 May 2020. Checking that record was the reasonable step which the Respondent took to ensure the accuracy of the Respondent's address. The Respondent was entitled to rely on the accuracy of its centralised database for patient details, particularly in circumstances where very little time had passed between the collection of the information and the sending of the letter. In those circumstances, no further steps were required to be taken by the Respondent to ensure the accuracy of the applicant's address. For example, it would not be reasonable to expect the Respondent to call every patient to confirm his or her address each time that it wished to send correspondence to the patient by post.
The Respondent acknowledges that, in a subsequent phone call with JHH Clinical Services on 25 May 2020, the applicant provided [their] address as 48 X Avenue. As that address was provided directly by the applicant and handwritten on an envelope at that time, it was not cross-checked with the address in the PAS. The Respondent submits that this intervening event does not alter the fact that all reasonable steps were taken on 3 June 2020 to ensure the accuracy of the applicant's address.
In relation to HPP 11 the Respondent submitted:
It is not in dispute that the applicant's health information was sent to an address at which they did not reside. This raises a question as to whether there has been a disclosure to the residents of 38 X Avenue of the applicant's health information, in breach of HPP 11.
In the first instance, the Respondent submits that it relied on the information which the applicant provided, being the address of 38 X Avenue. The Respondent submits that the disclosure of the applicant's health information to that address could not be a breach of HPP 11:
a. Because the disclosure was for the primary purpose of providing the applicant with health services, the same purpose for which her health information was collected (HPP 11(1));
b. In the alternative, because the applicant consented to the disclosure of her health information to the address which they provided (HPP 11(1)(a));
c. In the further alternative, because the disclosure of the information was for a secondary purpose directly related to the primary purpose and the applicant would reasonably expect the Respondent to disclose the information for that secondary purpose to the residents of the address which they provided (HPP 11(1)(b)).
In short, the Respondent submits that, if the Tribunal accepts that the applicant provided the address of 38 X Avenue, then the Respondent was entitled to rely on that address.
If, however, the Tribunal accepts that the applicant did not provide the incorrect address, the Respondent submits that it would not necessarily follow that there had been a breach of HPP 11 in the sending of the letter to that address.
The Respondent submitted that, in any event, most people do not open mail that is sent to the wrong address. It referred to views that I expressed in DQJ v Secretary, Department of Family and Community Services [2019] NSWCATAD 138 ("DQJ"). In DQJ I considered a situation in which a letter was sent to the applicant by post in circumstances where the applicant had requested that all correspondence be sent by email. At paragraphs [48] - [50] I stated:
48 DQJ has not seen the letter. While there is no evidence to suggest that the letter was ever delivered to the contact address, it is reasonable to assume that it would have been delivered within a reasonable time after 10 February 2018. However, it cannot be assumed that the letter was ever opened. There is no evidence to suggest that the letter was opened or that anyone at the contact address became aware of the personal information that was included in the letter. At its highest, it can be inferred that residents at the contact address might have become aware that a letter from the Respondent had been sent to DQJ. There is no evidence that the content of the letter was disclosed to anyone.
…
50 In these circumstances I am not satisfied that the Respondent breached section 18 of the PPIP Act by sending the letter to the contact address.
In the present matter EOE has alleged that their health information was disclosed to the residents at 38 X Avenue. The Respondent submitted that, as was the case in DQJ, there is no evidence before the Tribunal that the residents at 38 X Avenue opened the letter addressed to the EOE. In the circumstances, the Tribunal cannot be satisfied that there has been a disclosure of her health information in breach of HPP 11. The Tribunal should find accordingly.
In regard to the issue of consequences that should flow from the conduct, the Respondent submitted that it is well over a year since the mail was sent to the wrong address. The probability of misuse of EOE's information is now small. Further, there is no basis for finding that there is a link between the conduct and the alleged effect on the Applicant.
The Respondent contends that sending a letter to an address that is held in its records was reasonable. It submits that in the circumstances there was no breach and therefore there should be no penalty.
[10]
Consideration
I agree with the Respondent that the core of the dispute is whether the Applicant provided 38 X Avenue or 48 X Avenue as their address.
I also agree that issues related to sending a letter to the Applicant at 48 X Avenue are not part of these proceedings as they were not raised in the internal review request.
It is not in dispute that the contemporaneous record made by Ms Smith recorded the Applicant's address as 38 X Avenue not 48 X Avenue. It is possible that Ms Smith made a mistake and wrongly recorded the address. It is also possible that the Applicant made a mistake and gave Ms Smith the wrong address.
The evidence before the Tribunal is inconclusive. I have no contemporaneous evidence from the Applicant in regard to the conversation that they had with Ms Smith and I have no direct evidence from Ms Smith. I have evidence from Ms Kirk that she spoke to Ms Smith. Ms Kirk has said that Ms Smith confirmed that she followed the usual procedure in amending the record of EOE's address. I have notes of Ms Kirk as recorded in her email to Ms Lamb on 30 June 2020 which refer to a conversation between Ms Kirk and the Applicant and which suggest that at that time EOE was unsure of whether the correct address was 38 X Avenue or 48 X Avenue.
As was the case in KP v Narrandera Shire Council this is a matter in which the Tribunal is left in a state of uncertainty about a fact in issue. The Respondent has provided evidence of changes made to the address recorded in the Patient Administration System. This change was made while the conversation between EOE and Ms Smith was taking place. Applying the reasoning in KP v Narrandera Shire Council leads to the need to make a finding in relation to the fact that is in issue. In my view it is probable that EOE told Ms Smith that her address was 38 X Avenue and not 48 X Avenue.
I accept that EOE's correct address was 48 X Avenue and not 38 X Avenue. I also accept that the Respondent sent the 3 June 2020 letter to the wrong address. However, I have insufficient evidence on which I can conclude that the Respondent has breached any of the HPPs.
It follows that, as I cannot be satisfied that the Respondent has breached the HRIP Act, there is no basis on which I am able to make orders in favour of the Applicant pursuant to section 55(2) of the PPIP Act. The appropriate order is to dismiss the application in relation to the conduct of sending the 3 June 2020 letter to the wrong address.
[11]
I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.
Registrar
DISCLAIMER - Every effort has been made to comply with suppression orders or statutory provisions prohibiting publication that may apply to this judgment or decision. The onus remains on any person using material in the judgment or decision to ensure that the intended use of that material does not breach any such order or provision. Further enquiries may be directed to the Registry of the Court or Tribunal in which it was generated.
Decision last updated: 13 December 2021