EQH and M were at all material times colleagues and employees at a NSWHP laboratory. NSWHP is a division of the Respondent. Amongst other things, NSWHP operates laboratories in conjunction with New South Wales hospitals for the collection and analytical investigation of a range of specimens.
On 11 November 2020, EQH made an application to the Respondent for a review of its conduct after EQH became aware that M had accessed her health information contrary to the Respondent's policy. EQH claimed the Respondent had:
1. not taken such security safeguards as are reasonable in the circumstances against loss, unauthorised access, use, modification or disclosure, and against all other misuse of her personal and health information, contrary to s 12(c) PPIP Act and HPP 5(1)(c);
2. and used her personal and health information contrary to s 17 of the PPIP Act/HPP 10(1); and
3. disclosed her personal and health information contrary to s 18 of the PPIP Act and/HPP 11(1).
EQH alleged that M accessed her electronic medical records ('eMR') on 30 November 2016. EQH discovered this incident via documents provided to her in response to an application she made under the GIPA Act.
The Respondent conducted an audit of EQH's eMR. These records form part of documents held by the Northern New South Wales Local Health District. The Respondent also conducted an audit of the access to NSWHP's laboratory information systems ('LIS') in respect of EQH. As pointed out by EQH and noted in the submissions of the Respondent, the audit of the LIS was undertaken, despite no complaint being made in respect of it. The result of the audit of the LIS determined that M had accessed EQH's health information via the LIS on 7 occasions between 21 February 2017 and 26 March 2019.
The Respondent's human resource department undertook an investigation into the various incidents relating to the access of EQH's health information. A number of findings were made in that investigation and the internal reviewer concluded that the Respondent had not breached the HRIP Act because the conduct of M was that of a 'rogue employee', which should not be attributed to the Respondent in circumstances where the Respondent's privacy training programme was relatively robust and M had admitted that she should not have accessed EQH's health information.
The Respondent submits that the application should be dismissed on the basis that the Respondent was not responsible for the conduct in question, it being unsanctioned conduct by the Respondent and contrary to its policies.
EQH contends that the Respondent failed in its duty to undertake (a)-(c) inclusive as set out in paragraph [7] above.
In the Respondent's investigation, M, asserted that EQH asked M to access her personal and medical information. This contention is disputed by EQH. The ultimate findings of the Respondent's investigation also appear to reject M's contention in this regard.
The following reasons for decision relate solely to the question of whether the Respondent is responsible for the conduct that is alleged to have contravened the HRIP Act by virtue of a breach of HPP 5(1)(c).
It is not in dispute that the information at issue in these proceedings comprised both personal information within the meaning of s 4(1) of the PPIP Act (being EQH's name, date of birth and address accessible from EQH's eMR). It is also not in dispute that the information is 'health information' within the meaning of s 6 of the HRIP Act (being EQH's pathology results available from the LIS and other medical information available from EQH's eMR and the LIS).
The Respondent is a public sector agency to whom the information protection principles in the PPIP Act ('IPPs') and the health protection principles in the HRIP Act ('HPPs') apply; see s 20(1) of the PPIP Act; s 11(2) of the HRIP Act.
It is not in dispute that the Respondent is a statutory body representing the Crown as defined in s 9(2)(f) of the Health Administration Act 1982 (NSW) and paragraph (b) of the definition section of 'public sector agency' in s 3(1) of the PPIP Act and s 4(1) of the HRIP Act, noting that 'organisation' is defined in s 4(1) of the HRIP Act to mean, relevantly, a public sector agency. NSWHP is a division of the Respondent.
The parties both contend that the Tribunal's jurisdiction is, therefore, enlivened to review the Respondent's conduct alleged to have contravened an IPP and/or an HPP where such conduct was the subject of an internal review application pursuant to sections 52 and 55(1) of the PPIP Act and s 21 of the HRIP Act.
Section 6(b) of the HRIP Act includes 'other personal information collected to provide, or in providing, a health service'. All of the information about EQH that is the subject of her application is, therefore, 'health information', so in determining this matter the HRIP Act applies.
The question that arises in the proceeding is whether, due to a contravention of HPP5(1)(c), the Respondent is responsible for the conduct of the employee in accessing the Applicant's personal and health information other than as required in the exercise of her duties.
HPP5(1)(c) relevantly obliges the Respondent to ensure that the Applicant's health information 'is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse.'
Where I find that the Respondent is not responsible for the conduct of M in accessing EQH's personal and health information other than is required in the exercise of her duties, I am required to make no further order and decide the correct and preferable decision is to affirm the Respondent's internal review decision. If I decide that the Respondent is responsible for the conduct of M, the matter will be relisted for further hearing to further determine the matter and make orders in that regard.
[2]
Evidence filed in the proceedings
EQH relies upon the following evidence:
Application filed 1 April 2021 - A1; and
bundle and submissions filed 6 August 2021 - A2.
EQH cross-examined Mr Matthew Ryan and Ms Michelle Macpherson, witnesses for the Respondent. EQH's agent made oral submissions.
The Respondent filed and relied upon the following evidence.
Open statement of Mr Matthew Ryan 31 May 2021 - R1;
statement of Ms Michelle Macpherson 31 May 2021 - R2;
supplementary statement of Mr Matthew Ryan 18 August 2021 - R3;
supplementary statement of Ms Michelle Macpherson 18 August 2021 - R4; and
confidential statement of Mr Matthew Ryan (marked confidential) 31 May 2021 - R5;
The Respondent filed written submissions (in an open and confidential bundle) and reply written submissions.
[3]
Evidence of Mr Matthew Ryan
Mr Matthew Ryan is the Privacy, Right to Information and Records Officer employed by NSWHP. Mr Ryan made statements which have been marked R1 and R3. In his role, Mr Ryan acts as the Privacy Contact Officer (PCO) which he says is the first point of contact for members of the public when making enquiries or complaints related to privacy. Mr Ryan has been in that role since August 2019.
On receiving EQH's complaint on or about 7 December 2020, Mr Ryan made contact with EQH and contacted her by email. He also contacted a number of other employees of the Respondent, including the Director of Operations-North, Mr David Spence, and HR Manager-North, Ms Nicole Talty, and requested they undertake an investigation into the allegations made in the privacy complaint.
As part of the privacy complaint investigation Mr Ryan obtained copies of audit reports of both the EMR of the Northern New South Wales Local Health District and NSWHP's LIS. The audit reports are attached to Mr Ryan's statement. Mr Ryan states that the audit reports are useful in determining the validity of any allegation raised in a privacy breach allegation. In accordance with the Tribunal's order pursuant to s 64(1)(d) of the Civil and Administrative Tribunal Act 2013 the confidential attachments to Mr Ryan's statement have not been provided to EQH.
Mr Ryan's statement annexes a number of documents relied upon by the Respondent evidencing its policies and guidelines that relate to privacy matters, complaints about privacy breaches and managing misconduct. The policy and guidelines include the following.
The Health Privacy Policy - was published in 2015 and according to Mr Ryan remains in place. He says the manual provides operational guidance regarding the legislative obligations imposed by the HRIP Act. The manual outlines procedures to support compliance with the HRIP Act in any activity that involves personal health information. Mr Ryan says the manual is available to staff (as well as to the public) on a New South Wales Health's Policy Distribution Sydney (PDS) and NSWHP's policy library on the intranet.
The privacy leaflet - for staff is part of the privacy manual and summarises key privacy requirements for NSW Health staff and their obligations under the HRIP Act. The latest version of the document, published in November 2019, is annexed to his statement. At the time of the subject complaint, Mr Ryan said a previous version of the document was in existence. The privacy leaflet is available to staff (as well as to the public) on the NSW Health PDS with linkage to this from NSWHP's privacy page on the intranet.
The Privacy Management Plan - contains information about the management of personal information held by NSW Health. This document was published on 14 September 2015 and is available for staff on the NSW Health PDS and NSWHP's policy library on the intranet.
Privacy Module 1: Know your boundaries - is a mandatory module for staff who work, study or volunteer within NSW Health. Mr Ryan says all new employees on induction are required to complete this module which advises staff on their privacy obligations as a NSW Health staff member and where to obtain information about privacy guidance.
Privacy Module 2: Handling personal health information - is an eLearning module that provides an awareness of privacy obligations to the collection and security of personal health information. The module is optional and not mandated for staff as a matter of course. However, the module is often mandated for individual staff members involved in a privacy breach.
The Privacy Modules 1 and 2 are provided as part of the suite of training resources by the Health Education and Training Institute (HETI), a website which staff access to undertake training. The modules are eLearning modules.
PD2015_049 NSW Health Code of Conduct - sets standards of ethical and professional conduct in NSW Health, including privacy, and applies to all of NSW Health, including NSWHP. Relevantly, conduct of staff in privacy breach allegations is linked to clause 4.5: maintain the security of confidential and/or sensitive official information. The most recent document was published on 16 December 2015 and is available to staff (as well as to the public) on NSW Health's PDS and NSWHP's policy library on the intranet.
PD2009_076 Communications - use and management of misuse of NSW Health communication systems - provides guidance and direction about the mechanisms required to minimise appropriate use and the controls required to monitor the use of NSW Health communication systems and devices. The document was published on 19 November 2009 and is available to all staff (as well as the Public) on NSW Health's PDS and NSWHP's policy library on the intranet.
Mr Ryan says that the privacy related resources are communicated and promoted to staff in their training to ensure staff awareness and understanding of patient privacy is promoted in a routine and ongoing way. Staff also have access to the intranet with a dedicated privacy page containing information on NSWHP's commitment to safeguarding the privacy of patient information. The page contains links to key privacy resources on the NSW Health website. In addition, the Corporate Communications Team schedules regular provision of corporate eCommunications to staff highlighting key messages that management wish to convey to staff, including privacy related messages to prompt staff using corporate eCommunication devices.
[4]
NSWHP Privacy Compliance and Action in Response to Breaches
Mr Ryan states that instances during his tenure of employment with the Respondent of serious privacy breaches are rare. In some circumstances, following investigation, the scale and seriousness of a privacy breach has resulted in the employment of a staff member being terminated.
Mr Ryan sets out a few examples of allegations of privacy breaches which have been dealt with by the Respondent in accordance with its policies and procedures.
Mr Ryan states in his supplementary statement (R3) that when he receives an allegation of inappropriate access to the EMR and LIS systems he conducts an access audit regardless of whether a privacy complaint has been lodged as a formal internal review application under Part 5 of the PPIP Act.
In cross-examination Mr Ryan agreed that there was no proactive audit system within NSWHP to detect the use of access of its systems. Mr Ryan agreed that an access audit is only undertaken when Health advises of a privacy breach notification. Mr Ryan denied that part of his role required him to mandate privacy training for employees of the Respondent. In this regard, he said HETI was the organisation that was responsible for the design of employees' training, including training around privacy. Mr Ryan disagreed with the proposition that Module 2 of the training was mandatory but NSWHP staff were not required to undertake that training. He said Module 2 is not a mandated training course across all of NSW Health, including NSWHP.
Despite the cross-examination, I accept Mr Ryan as a reliable and truthful witness.
[5]
The Evidence of Ms Michelle Macpherson
Ms Macpherson relied on two statements, Exhibits R2 and R4. Ms Macpherson is employed by NSWHP as the Northern New South Wales Operations Manager-North. In her role, she has managerial oversight of the subject NSWHP laboratory and has been employed in this role for about 5 years.
The subject NSWHP laboratory allows the following staff positions to access the Northern New South Wales Local Health District (NNSWLHD) EMR and LIS:
Staff specialists: haematologists, microbiologists and anatomical pathologists;
senior hospital scientific staff: as per staff specialists;
technical officers: technical officers has specific qualifications but not medical. They are qualified to do pathology testing in the laboratory;
technical assistants: technical assistants collect specimens, transport these as well as carry out data entry/records functions; and
admin officers: will do typing and administrative office work. Often not handling specimens.
(My emphasis in bold)
Ms Macpherson states that each of the persons employed in these roles require access to the EMR and LIS systems for various reasons.
Relevantly, technical assistants, which is the role M was employed in, may undertake data entry of test results, but the release of results requires validation by a technical officer or other senior hospital scientific staff or staff specialists, all of whom have scientific qualifications. The release of patient results is subject to a strict process regulated by a Release of Results Policy NSWHP PD-016.
To undertake their duties, technical assistants and admin officers access the EMR and LIS systems for administration and billing references and to find the admission episode number linked for data entry and billing purposes. Ms Macpherson said this includes ensuring pathology results transmitted to the hospital's system.
In the NSW Health Privacy Manual for Health Information, clause 9.2.3 states 'Staff should be provided with the appropriate level of access to physical and electronic records in accordance with their role and the work requirements'.
Ms Macpherson says there are no junior staff members at the front desk. The staff members utilised for that particular shift/position are fully trained and competent technical assistants of the same grade as the phlebotomy staff, SRA (Specimen Reception Area) staff and the courier staff. The shift/position also handles all of the cardio scan results, downloading and entry of results to the LIS, and that the person is competent to work alone in the same manner as trained and competent phlebotomy staff on the hospital wards and in the outpatient collection rooms.
Ms Macpherson outlines the particular duties required of the front office position. Importantly, she says that access to the LIS and EMR system is essential for that person to perform the patient duties associated with the shift and to perform the report and result release duties and the cardio scan duties.
Ms Macpherson said that M has a different role from that of EQH. Despite them being both employed as 'technical assistants', they have different role orientations within the employment grade. The technical assistant role has 3 main grading orientations: sample collection (i.e. phlebotomists, being venepuncture); laboratory/SRA (which is for sample handling and processing as well as administration and documentation of laboratory requirements); and courier (who may also do laboratory/SRA functions).
Ms Macpherson says that M had the same role and responsibilities (being laboratory sample handling, administration and reception) since her employment in the LHD working in the pathology area prior to pathology functions and staff transferring to NSWHP in 2012. M was first granted access to the EMR on 30 January 2004. Ms Macpherson says that M's role was different to the duties required to be undertaken by EQH.
When an employee changes roles, system access is reviewed by the relevant NSWHP laboratory manager, or Ms Macpherson, as the regional supervisor. Where appropriate access is reduced or withdrawn if the change in an employee's role results in that employee no longer required to have access to any laboratory tasks.
Ms Macpherson sets out that access to LIS at the subject NSWHP laboratory is only provided to access persons via a login and password issued by NSWHBIT. Access to those systems is via a secure login and is digitally recorded for audit trail.
The access to the EMR power chart is provided at the request by the employee's supervisor via a system SARA (Search and Request Anything - which is NSW Health Service Desk). The access request is referred to the Local Health District's network administrators for internal approval by Department Managers and Ms Macpherson to sign off. Users are required to enter a network name and password to sign in to use EMR. When signing in users must agree and accept the conditions of use in the EMR as part of the privacy obligations owed by the user. The conditions are:
'Access and use of the solution system (including components thereof) require, and are governed by, licence(s) from the Cerner Corporation, Unauthorised use, access, reproduction, display or distribution of any portion of this solution or the data contained therein may result in severe civil penalties and criminal penalties.'
The user attempting to access the LIS and EMR, prior to accessing these systems at any stage when an employee logs onto a computer provided by NNSWLHD (the LHD in which the subject NSWHP laboratory resides), must agree to conditions of access that make specific reference to privacy obligations. Relevantly those conditions include:
'…
(3) unacceptable use includes violation of the privacy or rights for the user;
(4) 'the user is responsible at all times for the proper use of an allocated password and for all access under the password, which should be changed regularly to prevent misuse'; and
(6) 'it is the policy of all NSW Health agencies that computer resources are monitored by means of software or other equipment to protect the integrity of computing systems, work stations and programmes, and to guard against intention and inadvertent access to inappropriate and/or unlawful material and/or inappropriate use''
Ms Macpherson says she is unaware of other privacy incidents or allegations of privacy breaches at the subject NSWHP laboratory. Until EQH's complaint and the allegations raised therein, Ms Macpherson had not become aware of allegations of staff asking other staff members to access their results or of staff using each other's logons.
Despite the cross-examination, I accept Ms Macpherson's evidence that M was required to have access to the EMR and LIS as part of her duties as a technical assistant.
I also accept Ms Macpherson's evidence that NSWHP staff who have access to the EMR (with the exception of NSWHP doctors or senior hospital scientists) have 'enquiry only' access and do not have the ability to change or enter any information into the system. Her evidence in this regard was not challenged in the cross-examination.
I also accept Ms Macpherson's evidence that employees using other employees' login details and/or asking an employee to access their health information was not a widespread issue. Ms Macpherson was not challenged in the cross-examination on this part of her evidence.
Ms Macpherson rejected EQH's proposition that the level of supervision and direction of staff undertaking the roles of admin officer or technical assistant at the front desk was unreasonable or not appropriate. She said: "the current level of supervision, together with the expectation that staff will take responsibility for their own behaviour and knowledge of their obligations, is ordinarily sufficient. Where it is apparent that staff members do not meet these expectations, disciplinary action is considered."
In the cross-examination Ms Macpherson said that when she is 'in the field' and would witness a computer left logged in by a staff member, she would either close the system down herself and/or remind staff members that it needs to be closed.
I find that Ms Macpherson is an honest and reliable witness and accept her evidence.
[6]
Evidence of EQH
EQH filed combined written submissions which contain a combination of both evidence and submissions. The written document was admitted (absent objection) and is marked A2.
It is uncontroversial that EQH, via a GIPA Act application to the LHD, discovered that an employee (M) of NSWHP had accessed her medical records held by the NNLHD.
As set out above, I have accepted EQH's evidence that she did not request M to access her personal and medical information. The Respondent found that M breached its privacy policies and guidelines in that M did on at least 7 occasions access EQH's personal health information.
EQH says that M had no reason to access the EMR patient clinical information as part of M carrying out her role as a technical assistant. For the reasons set out above, I accepted Ms Macpherson's evidence on this point and find that M did have reason to use the EMR system as part of her role as a technical assistant. I reject EQH's evidence and submissions in this regard to the extent that M was not required to use the EMR system as part of her role as a technical assistant. I also reject EQH's evidence that NSWHP has not restricted access to the EMR system on a 'needs only' basis in accordance with the NSW Health Privacy Manual for Health Information 2015 (3rd Ed) (annexed at Mr Ryan's statement MR-12). In that regard, I accept Ms Macpherson's evidence that the Respondent has procedures in place to restrict access in circumstances where an employee's role does not require access to a particular system.
It is not in contest that M accessed EQH's personal health information without a legitimate need to do so.
I accept EQH's evidence that she was unaware M had access to the EMR system and it follows that for that reason she would not have requested M to do so.
[7]
Privacy Training
EQH was not cross-examined. I accept her evidence that the mandatory privacy training is estimated to take only 20 minutes at the time of induction and is not required to be repeated. In terms of it not being repeated, this is consistent with the Respondent's evidence.
I accept EQH as a truthful and reliable witness.
[8]
Consideration
The parties filed written submissions and made oral submissions. So far as relevant, I deal below with various parts of the written submissions and make further findings in determination of; whether the Respondent contravened the obligation imposed on it by HPP 5(1)(c) of the HRIP Act.
[9]
Vicarious Liability
EQH contends that the law of vicarious liability applies such that the Respondent is vicariously liable for the actions of M and, in the result, the 'rogue employee' argument raised by the Respondent should not apply.
EQH alleges that the employee role descriptions annexed to R2 [AS-1 and AS-2] and the statement of M found at Mr Ryan's statement [MR-8], indicate that accessing patient results is an authorised act by the Respondent and fulfils the employee's duties. EQH argues that the Respondent assigned M the 'special role' of accessing and communicating patient results. This role gave the 'occasion' for the wrongful act of accessing EQH's pathology results on 7 occasions. In these circumstances, EQH contends that the Respondent is vicariously liable for the acts of M. In support of this contention a number of cases are relied on by EQH that deal with the law of vicarious liability.
The New South Wales Court of Appeal in Director-General, Department of Education and Training v MT (2006) 67 NSWLR 237; [2006] NSWCA 270 ('MT'), held that common law rules of attribution, such as the principles of vicarious liability referred to by EQH in her written submissions, are not necessarily of assistance when considering the attribution of an employee's conduct to the agency for the purposes of an agency's obligation under the PPIP Act. It is necessary, to begin with the scope and application of the legislation in determining when a person's conduct or knowledge should be attributed to an agency, having regard to the scope and purpose of the legislative scheme.
Relevantly, Spigelman CJ, with whom the Court unanimously agreed, said:
'41 The legislative scheme is concerned with the conduct of public sector agencies acting for their public purposes. The most relevant obligation with respect to unauthorised use of information held by an agency, of a character which has occurred in the present case namely use or disclosure for a non-agency purpose, is that imposed by s12(c), set out above, requiring the agency to take steps to 'ensure … that the information is protected … against … unauthorised access, use … or disclosure'.
42 Furthermore, the legislative scheme makes separate and distinct provision in s62(1) for employees who disclose or use personal information for a purpose outside the scope of their official functions.
'62(1) A public sector official must not, otherwise than in connection with the lawful exercise of his or her official functions, intentionally disclose or use any personal information about another person to which the official has or had access in the exercise of his or her official functions.'
43 The interaction of s12(c) and s62(1) is such that, in my opinion, it leaves no scope for the extension of each reference to conduct of the public sector agency to encompass any conduct by an employee or agent, irrespective of whether it is within the scope of his or her functions as such. Where, as here, the 'use' or 'disclosure' of information was for a purpose extraneous to any purpose of the Department, it should not be characterised as 'use' or 'disclosure' by the Department or conduct of the Department. It is not appropriate to adopt a rule of attribution that extends so far.
44 There is a tension between s12(c) and the interpretation adopted by the Appeal Panel and urged on this Court by the Respondent. The express regulation of 'unauthorised use or disclosure' is qualified by the condition that the 'safeguards' must only be 'reasonable'. This Court should be slow to interpret a statutory obligation expressed in general terms with the effect that it overlaps with another obligation which is expressed in conditional terms. …
45 Of course parliament may have intended that statutory obligation should overlap. In the Act under consideration, however, the focus of Parliamentary attention is upon a public agency acting in that capacity for public purposes. Where the agency has satisfied its obligation under s12, it was not, in my opinion, Parliament's intention to expose every such agency to a form of absolute liability for the unauthorised private conduct of its employees or agents.
46 Nothing in the text or the scope and purpose of the legislative scheme suggests that parliament intended to impose absolute regulatory liability. Indeed, s12(c) itself imposes an obligation only to adopt such 'safeguards as are reasonable in the circumstances'.'
The provisions of s 12(c) of the PPIP Act are identical to those found in HPP5(1)(c) of the HRIP Act. In similar terms to s 62 of the PPIP Act, s 68 of the HRIP Act includes:
'68 Corrupt disclosure or use of health information by public sector officers
(1) A public sector official must not, otherwise than in connection with the lawful exercise of his or her official functions, intentionally disclose or use health information about an individual to which the official has or had access in the exercise of his or her official functions.
…'
Parliamentary intention to include s 68 of the HRIP Act in the legislative scheme in my view tells against the importation of principles of vicarious liability for employees' conduct in the privacy context which accords with the same reasoning of the Court of Appeal in MT.
I find that the purposes of M accessing EQH's health information were extraneous to her employment with the Respondent. I find that any access to health information for a purpose other than what was required by M to fulfil her duties and obligations as an employee of the Respondent was extraneous to that of the Respondent. M had no work related reason to access the health information of EQH and, given the policies and procedures in place as described by Mr Ryan were such as to serve to protect the health information of persons by the Respondent, M had no reasonable expectation that accessing EQH's health information was required by her duties and in doing so was a breach of her obligations as an employee.
I reject EQH's contention that the acts of M were not extraneous to any purpose of the Respondent. I find in the context of EQH's argument about vicarious liability that MT is instructive and the scope and purpose of the legislation do not extend to import vicarious liability on the Respondent in the circumstances of these proceedings.
[10]
Employee Access to Hospital Records via EMR
EQH contends that there was no need for M to have access to the EMR in carrying out her duties as a technical assistant. EQH has annexed to her written submissions position descriptions for M covering the dates ranging 27 May 2009 to 19 July 2017 and 19 July 2017 to present. Indeed, in each of those position descriptions, there is no specific mention of a requirement to access the EMR system.
EQH argues that she is employed as a technical assistant to perform phlebotomy and specimen reception area duties and does not have access to the EMR system despite processing pathology specimens and performing data entry. She relies upon this evidence to demonstrate that M, who is employed also as a technical assistant, did not require access to the EMR for similar reasons.
As set out above, I have accepted the unchallenged evidence of Ms Macpherson. I accept that EQH is not in a position to state what M has done or not done in her role and what functions have ever been, or not, performed at the laboratory reception by her. I prefer and accept the evidence of Ms Macpherson and the reasons she has provided explaining why M did require access to the EMR system to carry out her role as a technical assistant. I also accept Ms Macpherson's unchallenged evidence that technical assistants carried out different roles depending upon the needs of the Respondent.
I note that EQH states in her submissions that she does not have access to the EMR system. In my view, this supports the evidence of the Respondent that providing access to the EMR system is on a 'needs only' basis in accordance with s 16.3.3 of the Health Privacy Manual.
EQH cites BVS v Sydney Local Health District [2015] NSWCATAD 171, ('BVS'). That case involved information concerning access approval for the EMR system. EQH contends that access to the EMR system required a form to be submitted to the employee's manager, who would then approve the access form and forward it to the local health district for action. EQH contends that the Respondent has not managed the compliance function with regard to staff access to systems as it has failed to provide any documentation regarding M's access, or other employees' access, to the EMR system.
The Respondent has included in its submissions in reply the 'General Retention and Disposal Authority: GA28' ('the GRDA') which was made pursuant to s 21(2)(c) of the State Records Act 1998 ('SRA'). Clause 20.23.1 of the GRDA provides:
'Records relating to requests and permissions for employees to access or connect to technology and telecommunication systems, e.g. local area networks, internet, function-specific systems etc.
… retain in accordance with the organisation's requirements, then destroy'
The Respondent contends that in circumstances where M has had access to the EMR since 2004, at least since M's transfer of employment from NNSWLHD to NSWHP, M's role required access to the EMR; M's role has not materially changed since that time; and since that time, the platform for access requests and approvals has changed. I accept this evidence. I draw an inference that the NSWLHD's requirements did not require the access records to be retained until now and that they have been destroyed in accordance with the GRDA.
I accept the Respondent's submission that the absence of records that are not required by the SRA to be retained cannot lead to a conclusion that an agency has not taken reasonable safeguards against unauthorised access of health information. I also note that the Respondent's privacy manual for health information at clause 9.1 specifically refers to the retention and disposal of personal health information and that HPP5 operates subject to other lawful requirements, including the requirements of the SRA.
I reject EQH's contention that the inability of the Respondent to produce records in this context can lead to a conclusion that it has not taken reasonable safeguards against unauthorised access of health information.
I make similar findings in relation to EQH's contention that the absence of records relating to M's EMR training can lead to a conclusion that the Respondent has not taken reasonable safeguards in respect of health information. I note that clause 18.11.3 requires any records of EMR training to be kept for no longer than 2 years in any event. There is no evidence that indicates that M did not receive training in 2004 when she commenced employment with the Respondent. I infer it was likely that she would have received such training given the current policies and procedures before me, particularly Module 1 and that M accepts she accessed EQH's records contrary to the Respondent's policies and procedures.
[11]
Did the Respondent Contravene HPP5 ('Retention and security')
The Tribunal and its predecessor the Administrative Decisions Tribunal has considered in numerous decisions HPP5 and its equivalent s 12(c) of the PPIP Act.
In FH v Commissioner, New South Wales Department of Corrective Services [2003] NSWADT 72 at [41], O'Connor DCJ said:
'[i]t is not … necessary to show that the security policies and practices are perfect or ideal in every respect. Where there are shortcomings, they have to be weighed in the balance alongside those aspects that are satisfactory. The significance of the shortcomings needs to be assessed by reference to the degree of risk that they carry for intrusion into the privacy of the person whose data is secured, and the potential gravity of the consequences of any intrusion if it were to occur.'
The level of security required will depend on both the nature of the information and how it is stored (see ALZ v WorkCover NSW (No 2) [2014] NSWCATAD 122 ('ALZ') at [31]; CYH v Family and Community Services NSW [2018] NSWCATAD 84 at [31]).
However, it is clear that 'the 'safeguards' must only be 'reasonable'' (see MT at 247 [44], 248 [46]).
In NS v Commissioner, Department of Corrective Services [2004] NSWADT 263, the Tribunal considered reasonable safeguards to prevent unauthorised access of personal information. The Tribunal found 'the information from the system now available to you is confidential and must not be disclosed to an unauthorised person under any circumstances, nor are you authorised to access such information for personal reasons', which was a phrase required to acknowledge each time a person accessed the database the nature of the information was a reasonable safeguard.
The Respondent submits that the statements of Mr Ryan and Ms Macpherson establish the following safeguards which were in place, which, in the Respondent's view, were and are reasonable:
1. access to the EMR and LIS can be audited upon request;
2. access to the EMR and LIS is restricted to those who have been approved as requiring access for the purpose of fulfilling their duties and who have been trained;
3. each time an employee of NSWHP logs onto a computer provided by the local health district in which the laboratory involved in the incident resides, which login is required to obtain access to the EMR and LIS, the employee is required to acknowledge and accept, amongst other things, that they are bound by NSW Health's policies regarding use of communication systems and the NSW Health code of conduct, and that 'violation of the privacy of or rights of other users' constitutes unacceptable use that may lead to disciplinary action.
I am not satisfied the evidence establishes that the Respondent was aware of its employees using the logins of other employees or asking other employees to access the first employee's results, which could lead to a finding that reasonable safeguards were not in place by the Respondent.
I am satisfied that the Respondent had the policies and procedures in place identified by Mr Ryan in paragraphs [31]-[38] above. The Respondent took steps to bring to the notice of its employees its policies and the requirements of staff to comply with those policies. Those steps include: mandatory training in privacy obligations; optional training on handling personal health information, noting frequently mandated training for relevant staff after a privacy incident; NSW Health/ NSWHP privacy leaflet for staff, staff memorandum and correspondence and to a lesser degree articles in the NSWHP staff publication 'Compass'.
I reject EQH's argument that the same safeguards accepted by the Tribunal in BVS should be adopted in this case. Each matter is to be determined on the evidence before the Tribunal. In my view, the safeguards taken by the Respondent as set out in paragraphs [31]-[38] above evidence the reasonable safeguards taken by the Respondent against unauthorised access to EQH's personal information.
[Not for Publication]
EQH contends that the auditing processes by the Respondent are unnecessary and reactive rather than proactive. The Respondent argues that any proactive audit must necessarily involve randomly selecting employees, obtaining audit results for that employee over a period and requiring the employee to provide the reason for each access, which would be a resource intensive process. I note and apply the findings in FH at [94] in that it is not necessary to show that the security policies and practices are perfect or ideal in every respect.
In my view, whilst the auditing processes in place by the Respondent may not be perfect, they are reasonable where audits are conducted by the Respondent following an allegation of inappropriate access by a user. An investigation follows and any disciplinary action is taken in accordance with the Respondent's policy as set out by Mr Ryan.
In FH, the Tribunal must consider an agency's safeguards as a whole.
I reject EQH's implied contention that what is central to this proceeding is the employer's subjective knowledge of her obligations. As found in BZX v Western Sydney Local Health District,; BZY v Western Sydney Local Health District;; BZZ v Western Sydney Local Health District [2015] NSWCATAD 210 at [34]:
'It does not necessarily follow from the failure of a staff member to comply with a policy, that the agency's security safeguards are inadequate.'
The test in s 12 is an objective one which focuses on whether security safeguards are reasonable 'in the circumstances'.
I find that the Respondent has taken sufficient security safeguards which were reasonable in respect of EQH's personal health information to protect that information against loss, unauthorised access, use, modification, disclosure and against all other misuse. I find that the Respondent was not responsible for M's conduct in accessing EQH's personal health information outside the course of her duties.
EQH alleges or contends that in M viewing her private health information the Respondent has breached HPP10. HPP10 provides:
'(1) An organisation that holds health information must not use the information for a purpose (a 'secondary purpose') other than the purpose (the 'primary purpose') for which it was collected unless …'
A number of exceptions follow in relation to HPP10.
The Respondent's primary submission is that it is not responsible for the conduct of M contrary to her employment obligations. Where a 'use' is for a purpose extraneous to any purpose of the agency, such that the agency has not breached HPP5(1)(c), the use is not to be characterised as 'use' by the agency (see MT 243 [43]). In my view, there can be no breach of HPP10 as there has been no 'use' by the Respondent.
Further, merely accessing or viewing health information does not constitute a 'use' for the purposes of HPP10, unless the information is also 'employed' for some purpose. There is no evidence that the health information of EQH that M accessed employed the health information in a way involving 'some administrative action or consequence' (see MT at [44]).
EQH contends that the Patient Administration System Security and Access Policy (2014) requires management responsibility in ensuring the security of patient records. She submits that it is clear from this policy that considerable responsibility rests with management to manage the risk and ensure that health information is safeguarded. EQH contends that insufficient safeguards were provided by management in this regard. The Respondent's evidence reveals that employees are regularly reminded to log off computers before leaving them unattended (memos at MR-24 and MR-27 of Mr Ryan's statement). Mr Ryan also states that the Respondent is able to audit many of the documents an employee has read regarding quality management within the laboratory, some of which relate to privacy and the use of the EMR. I find that these procedures are indicative of reasonable safeguards put in place by the Respondent against unauthorised access and safeguarding of personal health information.
[12]
Privacy Training
EQH contends that the NSW Health privacy manual requires mandatory training regarding privacy. 6.1.3 of that manual requires all NSW Health staff to complete one of the two privacy online training modules as part of their mandatory training requirement. The policy does not require repeat mandatory training of the privacy modules unless otherwise required as part of a remedial process, or as a result of updates made to the module itself.
EQH submits that the Privacy Module 1 - Know your boundaries can be completed in as little as 10 minutes. Apart from this module, there is no other mandatory training required of an employee of the Respondent. EQH says that the NSWHP training requirement for staff is inadequate considering the sensitive nature of health information which should be safeguarded.
The evidence of Mr Ryan sets out that the crucial message to staff in respect of privacy is: 'Do not access the patient's health information unless you are required to do so in the course of your employment.' This message appears in; staff memos (MR-24 and MR-27); the privacy leaflet for staff (MR-19) and the Health Privacy Manual (MR-12) on page 186.
In my view the message is sufficiently simple to bring to the attention of staff a clear and well-communicated statement informing the Respondent's staff of their privacy obligations. It may not be perfect but in my view, it is sufficient to reasonably safeguard personal and personal health information.
In similar circumstances, whilst Privacy Module 2 is not mandated for all employees, the evidence reveals that it is also sufficiently simple, clear and well communicated to make its message reasonable to participants engaging in the training module.
Documents annexed at (MR-24 and MR-27) are specific to NSWHP. The privacy leaflet at (MR-19) has been reproduced and issued by NSWHP. I reject EQH's contention that some of the resources provided by the Respondent are not contextualised to the functions of NSWHP. In any event, I find reasonable safeguards do not require material produced by the Respondent to be contextualised to NSWHP in circumstances where the nature of the information in question, being a patient's health information and the employer's obligations in respect of that information, are said to be the same across all NSW Health agencies.
EQH argues that some of the documents provided by the Respondent are 'passive resources' and cannot be considered to be communications to staff. I accept the Respondent's submissions that it is entitled to assume that its employees have read the policies, procedures and resources it directs to them. Mr Ryan evidences that each of the documents produced in these proceedings has been made available to staff, either electronically or in some respects in print, and in my view, the distribution of these materials is reasonable in the circumstances. I further find that it is reasonable for each employee to acknowledge that they have accepted and read and understood and will comply with PD2009_076 Use and Management of misuse of NSW Health Communication Systems. I also note that the memo reproduced at (MR-24) post-dated the conduct under review and that a further updated memo has been reproduced at (MR-27) attached to the supplementary statement of Mr Ryan.
EQH cites CJU v Safework NSW (2018) NSWCATAD 300 ('CJU') as authority demonstrating the adequacy of staff training is a pivotal element in determining that the agency was liable for the conduct of its employees. CJU can be distinguished in this matter as it was primarily about the property remedy for a breach of s 18(1) of the PPIP Act. Whether the Respondent had breached s 12(c) of the PPIP Act (being an equivalent to HPP5(1)(c)) was not an issue in those proceedings. The case can be distinguished on its facts. In this matter, I must decide whether the Respondent has taken reasonable safeguards to prevent unauthorised access, use or disclosure of personal information. In CJU the Tribunal had to determine whether the Respondent had taken reasonable steps after it conceded a breach of the PPIP Act. I am not satisfied that CJU compels the Respondent to have mandatory training of the kind discussed in that case, which could lead to a contravention of HPP5(1)(c) of the HRIP Act.
[13]
Action Taken to Ensure Compliance by Staff with Policies and Procedures Regarding Privacy
As set out above, I have found that the audit process of the Respondent is reasonable in the circumstances.
EQH contends that Mr Ryan's acknowledgement and signature concerning privacy annual audits for the periods 2018 to 2019 and 2019 to 2020 are contradictory. EQH states that the compliance activities undertaken for both years is recorded by Mr Ryan as being 'privacy audits on access to information systems'. EQH says that this is in direct contradiction to Mr Ryan's statement where he states that the audits are conducted only in response to an allegation of inappropriate use or allegations of breach of privacy.
I reject this contention and find that the privacy annual reports are not required to provide information as to every audit undertaken. The statements of Mr Ryan are not limited to applications for internal review made pursuant to Part 5 of the PPIP Act, but may encompass any complaint of inappropriate access. The privacy annual report is required only to include statistical details of any review conducted pursuant to Part 5 of the PPIP Act.
I also reject EQH's submission that the LIS system allows access to patient health records onscreen without any requirement to make a note regarding the access or without downloading the results to a medical practitioner. I accept the evidence of Mr Ryan that the audit can detect users accessing patient health records on that system.
I also reject EQH's contention that the policies and guidance submitted by the Respondent provide information to staff regarding accessing staff health records. It is implicit in my view that accessing personal health information of any patient could include a member of the Respondent's staff. As such, Privacy Module 1 would include the protection of privacy obligations of staff who are patients.
[14]
Lack of Supervision
I reject EQH's submission that the Respondent lacks appropriate supervision of its staff. Intensive supervision of each employee in my view is not reasonable given the nature and practice of the Respondent's business. I have placed considerable weight on the evidence of Ms Macpherson in this regard.
[15]
What Action was Taken Against the Employer
[Not for Publication]
[Not for Publication]
[16]
Conclusion
I am satisfied that the Respondent has taken reasonable safeguards against intrusion by staff into patient privacy and potentially serious privacy which included:
1. taking reasonable steps to make staff aware of their privacy obligations;
2. restricting staff to patient health information to only those employees who need to access it to perform their duties;
3. informing staff of their actions in accessing patient health information will be monitored;
4. informing staff of the consequences that may follow unauthorised access; and
5. taking action against employees in respect of an intrusion where it considers it appropriate.
I find that the Respondent has complied with the health information security obligations imposed on it by HPP5(1)(c). It is therefore my finding that the Respondent was not responsible for the actions of M in respect of the subject incidents and pursuant to s 55(2) of the PPIP Act, not to take any further action on the matter.
[17]
Orders
1. The decision of the Respondent made on 26 February 2021 is affirmed.
2. No further action is taken.
[18]
I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.
Registrar
DISCLAIMER - Every effort has been made to comply with suppression orders or statutory provisions prohibiting publication that may apply to this judgment or decision. The onus remains on any person using material in the judgment or decision to ensure that the intended use of that material does not breach any such order or provision. Further enquiries may be directed to the Registry of the Court or Tribunal in which it was generated.
Decision last updated: 09 February 2022
On 1 April 2021, the Applicant filed an application seeking a review of the conduct of the Respondent. The Applicant, known under a pseudonym ("EQH") alleges that the Health Administration Corporation ("the Respondent") contravened several of the Information Protection Principles ("IPPs") contained within Division.1 of Pt.2 of the Privacy and Personal Information Protection Act 1998 ("the PPIP Act"), and their equivalents in the Health Records and Information Privacy Act 2002 ("the HRIP Act").
EQH was represented by her agent. The Respondent was represented by Ms A Sapienza, for the Crown Solicitor.
This decision is to be read in conjunction with EQH v NSW Health Pathology [2021] NSWCATAD 215, where I made orders relating to the publication restrictions set out in the coversheet.
On 11 November 2020, EQH made a privacy complaint to NSW Health Pathology ("NSWHP"), her employer, after discovering through a Government Information (Public Access) Act 2009 ("the GIPA Act") application that a fellow NSWHP employee ("M") had accessed her NSW Health hospital records. EQH contends that the access by M was in breach of both the PPIP Act and the HRIP Act.
On 3 May 2021, the Tribunal directed, by consent, for the proceedings to be listed for hearing to determine whether the Respondent has any liability for the conduct of M within the terms of the HRIP Act.