ALZ v WorkCover NSW
[2014] NSWCATAD 49
•24 April 2014
NSW Civil and Administrative Tribunal
New South Wales
Medium Neutral Citation: ALZ v WorkCover NSW [2014] NSWCATAD 49 Hearing dates: On the papers Decision date: 24 April 2014 Jurisdiction: Administrative and Equal Opportunity Division Before: S Montgomery, Senior Member Decision: The matters are to be listed for a planning meeting at 9.30 am on 17 June 2014.
Catchwords: health information - collection - use, - storage - disclosure - access and accuracy - contravention of HPPs Legislation Cited: Administrative Decisions Tribunal Act 1997
Civil and Administrative Tribunal Act 2013
Privacy and Personal Information Protection Act 1998
Health Records and information Privacy Act 2002
Government Information (Public Access) Act 2009
Work Health and Safety Act 2011
Occupational Health and Safety Act 2000Cases Cited: HW v Commissioner of Police, New South Wales Police Service and Anor [2003] NSWADT 214
JD v Director General, NSW Department of Health (No.2) [2004] NSWADT 227
KJ v Wentworth Area Health Service [2004] NSWADT 84
LN v Sydney South West Area Health Service (No 2) [2010] NSWADT 38
NX v Office of the Director of Public Prosecutions [2005] NSWADT 74
PN v Department of Education and Training [2010] NSWADTAP 59
QB v Greater Southern Area Health Service [2011] NSWADT 90
SB v Roads and Traffic Authority [2010] NSWADT 255Category: Principal judgment Parties: ALZ (Applicant)
WorkCover NSW (Respondent)Representation: ALZ (Applicant in person)
P Martin, Legal Officer Work Cover NSW (Respondent)
File Number(s): 123291; 133003
reasons for decision
This matter was commenced in the General Division of the Administrative Decisions Tribunal ("the ADT") pursuant to the Administrative Decision Tribunal Act 1997 ("the ADT Act"). On 1 January 2014, the ADT was abolished and its functions were taken over by the Civil and Administrative Tribunal of New South Wales ('NCAT'). The present decision is therefore a decision of NCAT. However, because the proceedings to which it relates are 'part heard proceedings' as defined in clause 6(1) of Schedule 1 of the Civil and Administrative Tribunal Act 2013, they are to be determined as if that Act had not been enacted (see clause 7(3)(b) of this Schedule).
In these reasons the names of private individuals have been anonymised so as to preserve the privacy of their personal affairs. The Applicant is referred to as ALZ.
These two matters relate to a complaint by the Applicant regarding the collection, use, storage, disclosure, access and accuracy of her health information. She alleged that the Respondent's conduct in regard to the information was in breach of several the Health Privacy Principles ("HPPs"), set out in Health Records and information Privacy Act 2002 ("HRIP Act"). At relevant times the Applicant was employed by a local council ("the Council").
The conduct concerns a medical report dated 10 November 2011 ("the medical report") by a psychiatrist, Dr Prabal Kar. The medical report was prepared in relation to a workers compensation claim brought by the Applicant against the Council. The workers compensation insurer which covered the Council for workers compensation claims was StateCover Mutual Limited ("StateCover"). StateCover and the Council were responsible for processing and managing the Applicant's workers compensation claim. The Respondent obtained a copy of the medical report from the Council.
The Applicant lodged two applications for internal review of the Respondent's conduct relating to the medical report. The first application requested a review of the conduct related to the collection of the medical report from the Council. The second application requested a review of conduct related to the use, storage, disclosure, and access and accuracy of the medical report.
The Respondent's Privacy Officer conducted both internal reviews, and made determinations in each of them that no breach of the HPPs was established. The Tribunal may review the conduct that was the subject of the application for internal review.
The Applicant subsequently lodged two Applications in the Tribunal, seeking review of the Respondent's conduct in regard to the medical report (matter numbers 123291 and 133003). Although the Applications deal with different HPPs, they concern the same conduct.
The Tribunal's jurisdiction is limited to reviewing contraventions of the HPPs by a "public sector agency. It is not in dispute that the Respondent is a "public sector agency" as defined section 4(1) of the HRIP Act. The scope of the application to the Tribunal is limited to conduct that was the subject of the application for internal review to the Respondent. Matters which the Applicant raises which do not fall within that scope are outside the Tribunal's jurisdiction.
The Respondent denies that its conduct contravened any of the HPPs.
By agreement between the parties, the Applications are to be determined 'on the papers' with the benefit of written submissions by the parties but without the need for a hearing. The parties agreed that the issue of liability should be determined as a preliminary issue.
Background
In August 2011 the Applicant was the subject of an allegation of falsifying time sheets in relation to her work with the Council. She met with her supervisor and her manager in relation to the issue and amendments were made to the timesheets to reflect the outcome of the meeting.
The Applicant alleged that she was subsequently singled out for unfavourable treatment. She made a complaint of bullying against her supervisor and her manager under the Council's Occupational Health and Safety procedures.
The Council's employee relations officer investigated the complaint. He made a draft finding that the Applicant hadn't been bullied and gave the Applicant the opportunity to respond to his draft finding. The Applicant provided a response. The Council's employee relations officer made a final finding that the Applicant hadn't been bullied but recommended an apology and that other action be taken.
The Applicant was not happy with the outcome of the investigation. She phoned WorkCover to inquire about making a bullying complaint. She spoke to an inspector. Her complaint was allocated to Inspector Mick Dall.
The Applicant's complaint was that she had been subjected to bullying directed towards her in the course of her employment with the Council.
In September 2011 Inspector Dall conducted an investigation under the Occupational Health and Safety Act 2000 ("OHS Act") in regard to whether breaches of the OHS Act had occurred. As part of the investigation he spoke with representatives of the Council, including its employee relations officer. Inspector Dall did not contact the Applicant at that time. In October 2011 the Applicant arranged to provide Inspector Dall with the details of her complaint. Inspector Dall received and considered documents from both the Council and the Applicant.
The OHS Act was replaced by the Work Health and Safety Act 2011 on 1 January 2012. Comparable powers are available under the Work Health and Safety Act 2011 to those exercised by Inspector Dall.
Also in October 2011 the Applicant went on sick leave and lodged a workers compensation claim. She was diagnosed as suffering from anxiety and depression.
In November 2011, StateCover required the Applicant to attend an appointment with Dr Kar. The purpose of the appointment was to determine the liability of the Applicant's claim. The medical report, prepared by Dr Kar, was unfavourable to the Applicant. StateCover declined the Applicant's workers compensation claim in December 2011.
In November 2011, the Applicant was disciplined for alleged rudeness. The disciplinary process was a documented informal verbal discussion ("DIVD").
Inspector Dall subsequently met with the Applicant's manager, the Council's employee relations officer, and the Council's human resources manager. Inspector Dall was given a copy of the DIVD but the Applicant contends that the copy provided did not contain her point of view. The Applicant contends that Inspector Dall did not advise her that he had been given a copy of the DIVD nor was she given an opportunity to respond.
During the course of a meeting with representatives of the Council on 6 December 2011 Inspector Dall obtained information that the Applicant had made a workers compensation claim. Inspector Dall was also informed that StateCover had had regard to the medical report.
On 7 December 2011, Inspector Dall notified the Applicant that the investigation was completed and he had formed the view that no breach of the OHS Act was made out. Inspector Dall did not tell the Applicant that he was awaiting further material at that time.
The following week, Inspector Dall told the Council's return to work officer that the medical report was relevant to his investigation and made an oral request for a copy of the medical report. Inspector Dall made that request under section 59 of the OHS Act, which permits an inspector to make an oral demand for documents or information relating to an investigation under the OHS Act. Inspector Dall also advised the Council's return to work officer that if she did not provide the medical report to him, he would issue a formal notice under section 62 of the OHS Act which would compel the Council to provide the medical report.
On 15 December 2011, the Council's return to work officer provided Inspector Dall with a copy of the medical report. Inspector Dall considered the report as part of his investigation. Inspector Dall subsequently prepared a report, dated 19 January 2012, on the Respondent's investigations database known as the "Workplace Services Management System" ("WSMS"). Inspector Dall concluded that no breach of the OHS Act was established, and recommended that no further action be taken in the matter.
Mr Paul Irwin, the Respondent's District Coordinator, subsequently confirmed Inspector Dall's conclusion. Mr Irwin considered the medical report in his review.
In January 2012 the Applicant applied to the Respondent under the Government Information (Public Access) Act 2009 ("the GIPA Act") for access to the documents pertaining to Inspector Dall's investigation. The documents were provided to the Applicant in March 2012.
The documents released under the GIPA Act revealed that Inspector Dall had quoted a paragraph directly from the psychiatric report in support of his findings.
The Applicant was upset that Inspector Dall had used the medical report in this way. She believed that her health privacy had been violated and requested an explanation for, and an internal review of, the alleged breach.
She believed that the Respondent had contravened several of the Health Privacy Principles ("HPPs") set out in the HRIP Act. She alleges contraventions of HPPs 1, 3, 4, 5, 6, 7, 9, 10 and 11.
The Respondent's contends that it did not contravene any of the HPPs identified by the Applicant.
Applicable legislation
The term "personal information" is defined in section 5 of the HRIP Act as:
5 Definition of "personal information"
(1) In this Act,
"personal information" means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.
(2) Personal information includes such things as an individual's fingerprints, retina prints, body samples or genetic characteristics.
(3) Personal information does not include any of the following:
...
(m) information or an opinion about an individual's suitability for appointment or employment as a public sector official,
...
The term "health information" is defined in section 6 of the HRIP Act as:
"health information" means:
(a) personal information that is information or an opinion about:
(i) the physical or mental health or a disability (at any time) of an individual, or
but does not include health information, or a class of health information or health information contained in a class of documents, that is prescribed as exempt health information for the purposes of this Act generally or for the purposes of specified provisions of this Act.
The relevant HPPs are set out in Schedule 1 to the HRIP Act as follows:
SCHEDULE 1 - Health Privacy Principles
...
1 Purposes of collection of health information
(1) An organisation must not collect health information unless:
(a) the information is collected for a lawful purpose that is directly related to a function or activity of the organisation, and
(b) the collection of the information is reasonably necessary for that purpose.
(2) An organisation must not collect health information by any unlawful means.
...
3 Collection to be from individual concerned
(1) An organisation must collect health information about an individual only from that individual, unless it is unreasonable or impracticable to do so.
(2) Health information is to be collected in accordance with any guidelines issued by the Privacy Commissioner for the purposes of this clause.
4 Individual to be made aware of certain matters
(1) An organisation that collects health information about an individual from the individual must, at or before the time that it collects the information (or if that is not practicable, as soon as practicable after that time), take steps that are reasonable in the circumstances to ensure that the individual is aware of the following:
(a) the identity of the organisation and how to contact it,
(b) the fact that the individual is able to request access to the information,
(c) the purposes for which the information is collected,
(d) the persons to whom (or the types of persons to whom) the organisation usually discloses information of that kind,
(e) any law that requires the particular information to be collected,
(f) the main consequences (if any) for the individual if all or part of the information is not provided.
(2) If an organisation collects health information about an individual from someone else, it must take any steps that are reasonable in the circumstances to ensure that the individual is generally aware of the matters listed in subclause (1) except to the extent that:
(a) making the individual aware of the matters would pose a serious threat to the life or health of any individual, or
(b) the collection is made in accordance with guidelines issued under subclause (3).
(3) The Privacy Commissioner may issue guidelines setting out circumstances in which an organisation is not required to comply with subclause (2).
(4) An organisation is not required to comply with a requirement of this clause if:
(a) the individual to whom the information relates has expressly consented to the organisation not complying with it, or
(b) the organisation is lawfully authorised or required not to comply with it, or
(c) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998 ), or
(d) compliance by the organisation would, in the circumstances, prejudice the interests of the individual to whom the information relates, or
(e) the information concerned is collected for law enforcement purposes, or
(f) the organisation is an investigative agency and compliance might detrimentally affect (or prevent the proper exercise of) its complaint handling functions or any of its investigative functions.
(5) If the organisation reasonably believes that the individual is incapable of understanding the general nature of the matters listed in subclause (1), the organisation must take steps that are reasonable in the circumstances to ensure that any authorised representative of the individual is aware of those matters.
(6) Subclause (4) (e) does not remove any protection provided by any other law in relation to the rights of accused persons or persons suspected of having committed an offence.
(7) The exemption provided by subclause (4) (f) extends to any public sector agency, or public sector official, who is investigating or otherwise handling a complaint or other matter that could be referred or made to an investigative agency, or that has been referred from or made by an investigative agency.
5 Retention and security
(1) An organisation that holds health information must ensure that:
(a) the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used, and
(b) the information is disposed of securely and in accordance with any requirements for the retention and disposal of health information, and
(c) the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and
(d) if it is necessary for the information to be given to a person in connection with the provision of a service to the organisation, everything reasonably within the power of the organisation is done to prevent unauthorised use or disclosure of the information.
Note: Division 2 (Retention of health information) of Part 4 contains provisions applicable to private sector persons in connection with the matters dealt with in this clause.
(2) An organisation is not required to comply with a requirement of this clause if:
(a) the organisation is lawfully authorised or required not to comply with it, or
(b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998 ).
(3) An investigative agency is not required to comply with subclause (1) (a).
6 Information about health information held by organisations
(1) An organisation that holds health information must take such steps as are, in the circumstances, reasonable to enable any individual to ascertain:
(a) whether the organisation holds health information, and
(b) whether the organisation holds health information relating to that individual, and
(c) if the organisation holds health information relating to that individual:
(i) the nature of that information, and
(ii) the main purposes for which the information is used, and
(iii) that person's entitlement to request access to the information.
(2) An organisation is not required to comply with a provision of this clause if:
(a) the organisation is lawfully authorised or required not to comply with the provision concerned, or
(b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998 ).
7 Access to health information
(1) An organisation that holds health information must, at the request of the individual to whom the information relates and without excessive delay or expense, provide the individual with access to the information.
Note: Division 3 (Access to health information) of Part 4 contains provisions applicable to private sector persons in connection with the matters dealt with in this clause.
Access to health information held by public sector agencies may also be available under the Government Information (Public Access) Act 2009 or the State Records Act 1998 .
(2) An organisation is not required to comply with a provision of this clause if:
(a) the organisation is lawfully authorised or required not to comply with the provision concerned, or
(b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998 ).
...
9 Accuracy
An organisation that holds health information must not use the information without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading.
10 Limits on use of health information
(1) An organisation that holds health information must not use the information for a purpose (a
"secondary purpose" ) other than the purpose (the
"primary purpose" ) for which it was collected unless:
(a) the individual to whom the information relates has consented to the use of the information for that secondary purpose, or
(b) the secondary purpose is directly related to the primary purpose and the individual would reasonably expect the organisation to use the information for the secondary purpose, or
Note: For example, if information is collected in order to provide a health service to the individual, the use of the information to provide a further health service to the individual is a secondary purpose directly related to the primary purpose.
(c) the use of the information for the secondary purpose is reasonably believed by the organisation to be necessary to lessen or prevent:
(i) a serious and imminent threat to the life, health or safety of the individual or another person, or
(ii) a serious threat to public health or public safety, or
(d) the use of the information for the secondary purpose is reasonably necessary for the funding, management, planning or evaluation of health services and:
(i) either:
a) that purpose cannot be served by the use of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained and it is impracticable for the organisation to seek the consent of the individual for the use, or
b) reasonable steps are taken to de-identify the information, and
(ii) if the information is in a form that could reasonably be expected to identify individuals, the information is not published in a generally available publication, and
(iii) the use of the information is in accordance with guidelines, if any, issued by the Privacy Commissioner for the purposes of this paragraph, or
(e) the use of the information for the secondary purpose is reasonably necessary for the training of employees of the organisation or persons working with the organisation and:
(i) either:
A) that purpose cannot be served by the use of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained and it is impracticable for the organisation to seek the consent of the individual for the use, or
B) reasonable steps are taken to de-identify the information, and
(ii) if the information could reasonably be expected to identify individuals, the information is not published in a generally available publication, and
(iii) the use of the information is in accordance with guidelines, if any, issued by the Privacy Commissioner for the purposes of this paragraph, or
(f) the use of the information for the secondary purpose is reasonably necessary for research, or the compilation or analysis of statistics, in the public interest and:
(i) either:
A) that purpose cannot be served by the use of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained and it is impracticable for the organisation to seek the consent of the individual for the use, or
B) reasonable steps are taken to de-identify the information, and
(ii) if the information could reasonably be expected to identify individuals, the information is not published in a generally available publication, and
(iii) the use of the information is in accordance with guidelines, if any, issued by the Privacy Commissioner for the purposes of this paragraph, or
(g) the use of the information for the secondary purpose is by a law enforcement agency (or such other person or organisation as may be prescribed by the regulations) for the purposes of ascertaining the whereabouts of an individual who has been reported to a police officer as a missing person, or
(h) the organisation:
(i) has reasonable grounds to suspect that:
(A) unlawful activity has been or may be engaged in, or
(B) a person has or may have engaged in conduct that may be unsatisfactory professional conduct or professional misconduct under the Health Practitioner Regulation National Law (NSW) , or
(C) an employee of the organisation has or may have engaged in conduct that may be grounds for disciplinary action, and
(ii) uses the health information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities, or
(i) the use of the information for the secondary purpose is reasonably necessary for the exercise of law enforcement functions by law enforcement agencies in circumstances where there are reasonable grounds to believe that an offence may have been, or may be, committed, or
(j) the use of the information for the secondary purpose is reasonably necessary for the exercise of complaint handling functions or investigative functions by investigative agencies, or
(k) the use of the information for the secondary purpose is in the circumstances prescribed by the regulations for the purposes of this paragraph.
(2) An organisation is not required to comply with a provision of this clause if:
(a) the organisation is lawfully authorised or required not to comply with the provision concerned, or
(b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998 ).
(3) The Ombudsman's Office, Health Care Complaints Commission, Anti-Discrimination Board and Community Services Commission are not required to comply with a provision of this clause in relation to their complaint handling functions and their investigative, review and reporting functions.
(4) Nothing in this clause prevents or restricts the disclosure of health information by a public sector agency:
(a) to another public sector agency under the administration of the same Minister if the disclosure is for the purposes of informing that Minister about any matter within that administration, or
(b) to any public sector agency under the administration of the Premier, if the disclosure is for the purposes of informing the Premier about any matter.
(5) The exemption provided by subclause (1) (j) extends to any public sector agency, or public sector official, who is investigating or otherwise handling a complaint or other matter that could be referred or made to an investigative agency, or that has been referred from or made by an investigative agency.
11 Limits on disclosure of health information
(1) An organisation that holds health information must not disclose the information for a purpose (a
"secondary purpose" ) other than the purpose (the
"primary purpose" ) for which it was collected unless:
(a) the individual to whom the information relates has consented to the disclosure of the information for that secondary purpose, or
(b) the secondary purpose is directly related to the primary purpose and the individual would reasonably expect the organisation to disclose the information for the secondary purpose, or
Note: For example, if information is collected in order to provide a health service to the individual, the disclosure of the information to provide a further health service to the individual is a secondary purpose directly related to the primary purpose.
(c) the disclosure of the information for the secondary purpose is reasonably believed by the organisation to be necessary to lessen or prevent:
(i) a serious and imminent threat to the life, health or safety of the individual or another person, or
(ii) a serious threat to public health or public safety, or
(d) the disclosure of the information for the secondary purpose is reasonably necessary for the funding, management, planning or evaluation of health services and:
(i) either:
(A) that purpose cannot be served by the disclosure of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained and it is impracticable for the organisation to seek the consent of the individual for the disclosure, or
(B) reasonable steps are taken to de-identify the information, and
(ii) if the information could reasonably be expected to identify individuals, the information is not published in a generally available publication, and
(iii) the disclosure of the information is in accordance with guidelines, if any, issued by the Privacy Commissioner for the purposes of this paragraph, or
(e) the disclosure of the information for the secondary purpose is reasonably necessary for the training of employees of the organisation or persons working with the organisation and:
(i) (i) either:
(A) that purpose cannot be served by the disclosure of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained and it is impracticable for the organisation to seek the consent of the individual for the disclosure, or
(B) reasonable steps are taken to de-identify the information, and
(ii) if the information could reasonably be expected to identify the individual, the information is not made publicly available, and
(iii) the disclosure of the information is in accordance with guidelines, if any, issued by the Privacy Commissioner for the purposes of this paragraph, or
(f) the disclosure of the information for the secondary purpose is reasonably necessary for research, or the compilation or analysis of statistics, in the public interest and:
(i) either:
(A) that purpose cannot be served by the disclosure of information that does not identify the individual or from which the individual's identity cannot reasonably be ascertained and it is impracticable for the organisation to seek the consent of the individual for the disclosure, or
(B) reasonable steps are taken to de-identify the information, and
(ii) the disclosure will not be published in a form that identifies particular individuals or from which an individual's identity can reasonably be ascertained, and
(iii) the disclosure of the information is in accordance with guidelines, if any, issued by the Privacy Commissioner for the purposes of this paragraph, or
(g) the disclosure of the information for the secondary purpose is to provide the information to an immediate family member of the individual for compassionate reasons and:
(i) the disclosure is limited to the extent reasonable for those compassionate reasons, and
(ii) the individual is incapable of giving consent to the disclosure of the information, and
(iii) the disclosure is not contrary to any wish expressed by the individual (and not withdrawn) of which the organisation was aware or could make itself aware by taking reasonable steps, and
(iv) if the immediate family member is under the age of 18 years, the organisation reasonably believes that the family member has sufficient maturity in the circumstances to receive the information, or
(h) the disclosure of the information for the secondary purpose is to a law enforcement agency (or such other person or organisation as may be prescribed by the regulations) for the purposes of ascertaining the whereabouts of an individual who has been reported to a police officer as a missing person, or
(i) the organisation:
(i) has reasonable grounds to suspect that:
(A) unlawful activity has been or may be engaged in, or
(B) a person has or may have engaged in conduct that may be unsatisfactory professional conduct or professional misconduct under the Health Practitioner Regulation National Law (NSW) , or
(C) an employee of the organisation has or may have engaged in conduct that may be grounds for disciplinary action, and
(ii) discloses the health information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities, or
(j) the disclosure of the information for the secondary purpose is reasonably necessary for the exercise of law enforcement functions by law enforcement agencies in circumstances where there are reasonable grounds to believe that an offence may have been, or may be, committed, or
(k) (k) the disclosure of the information for the secondary purpose is reasonably necessary for the exercise of complaint handling functions or investigative functions by investigative agencies, or
(l) the disclosure of the information for the secondary purpose is in the circumstances prescribed by the regulations for the purposes of this paragraph.
(2) An organisation is not required to comply with a provision of this clause if:
(a) the organisation is lawfully authorised or required not to comply with the provision concerned, or
(b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998 ), or
(c) the organisation is an investigative agency disclosing information to another investigative agency.
(3) The Ombudsman's Office, Health Care Complaints Commission, Anti-Discrimination Board and Community Services Commission are not required to comply with a provision of this clause in relation to their complaint handling functions and their investigative, review and reporting functions.
(4) Nothing in this clause prevents or restricts the disclosure of health information by a public sector agency:
(a) to another public sector agency under the administration of the same Minister if the disclosure is for the purposes of informing that Minister about any matter within that administration, or
(b) to any public sector agency under the administration of the Premier, if the disclosure is for the purposes of informing the Premier about any matter.
(5) If health information is disclosed in accordance with subclause (1), the person, body or organisation to whom it was disclosed must not use or disclose the information for a purpose other than the purpose for which the information was given to it.
(6) The exemptions provided by subclauses (1) (k) and (2) extend to any public sector agency, or public sector official, who is investigating or otherwise handling a complaint or other matter that could be referred or made to an investigative agency, or that has been referred from or made by an investigative agency.
At relevant times, section 59 of the OHS Act provided:
59 General powers available on entry
For the purposes of this Act or the regulations, an inspector who enters premises under this Division may do any of the following:
(a) make searches, inspections, examinations and tests (and take photographs and make video and audio recordings),
(b) take for analysis a sample of any substance or thing which in the inspector's opinion may be, or may contain or be contaminated by, a substance (or a degradation product of a substance) that is a risk to health,
(c) in the case of an inspector who is a medical practitioner, carry out medical examinations with the consent of the person proposed to be examined,
(d) carry out biological tests in such manner and in such circumstances as may be prescribed by the regulations,
(e) require any person in or about those premises to answer questions or otherwise furnish information,
(f) require the occupier of those premises to provide the inspector with such assistance and facilities as is or are reasonably necessary to enable the inspector to exercise the inspector's functions,
(g) require the production of and inspect any documents in or about those premises,
(h) take copies of or extracts from any such documents,
(i) exercise all other functions that are conferred by, or are reasonably necessary for the purposes of, this Act or the regulations.
Section 62 of the OHS Act provides:
62 Power of inspectors to obtain information, documents and evidence
(1) An inspector may, by notice in writing served on a person, require the person to do any one or more of the following things if the inspector has reasonable grounds to believe that the person is capable of giving information, producing documents or giving evidence in relation to a possible contravention of this Act or the regulations:
(a) to give an inspector, in writing signed by the person (or, in the case of a body corporate, by a competent officer of the body corporate) and within the time and in the manner specified in the notice, any such information of which the person has knowledge,
(b) to produce to an inspector, in accordance with the notice, any such documents,
(c) to appear before an inspector at a time and place specified in the notice and give either orally or in writing any such evidence and produce any such documents.
(2) A notice under this section must contain a warning that a failure to comply with the notice is an offence.
(3) An inspector may inspect a document produced in response to a notice under this section and may make copies of, or take extracts from, the document.
(4) An inspector may take possession and retain possession for as long as is necessary for the purposes of this Act, of a document produced in response to a notice under this section if the person otherwise entitled to possession of the document is supplied, as soon as practicable, with a copy certified by an inspector to be a true copy.
(4) A certified copy provided under subsection (4) is receivable in all courts as if it were the original.
(5) Until a certified copy of a document is provided under subsection (4), the inspector who has possession of the document must, at such times and places as the inspector thinks appropriate, permit the person otherwise entitled to possession of the document, or a person authorised by that person, to inspect the document and make copies of, or take extracts from, the document.
The Applicant contends that, while the OHS Act gives a WorkCover inspector the power to require the production of documents if the inspector believes the documents relate to a contravention of the OHS Act, and while health information may be contained in a document, the health information is not 'a document' for the purpose of section 62 of the OHS Act. She submits that it remains 'health information' and as such it is protected by the HRIP Act.
She further submits that the HRIP Act provides specific and precise statutory protection for people's health information. The OHS Act does not take that statutory protection away. Consequently, she submits, a WorkCover inspector cannot collect health information in the same manner as they would a mere 'document'. They must collect it in accordance with the HPPs.
HPP 1
The Applicant's Case
The Applicant contends that in contravention of HPP 1, the Respondent did not have a lawful purpose for the collection of her health information. She referred to the decision in NX v Office of the Director of Public Prosecutions [2005] NSWADT 74 at paragraphs [19] - [21] where the Tribunal considered the term "lawful purpose". She submits that the term "lawful purpose" has two meanings. It can mean:
- a purpose that is positively authorised by law, or
- a purpose that is not prohibited by law.
The Applicant submitted that the Respondent did not have a lawful purpose for collecting her health information according to either definitions of 'lawful purpose'.
She refers to the advice from Inspector Dall on 7 December 2011 in which he indicated that his investigation into her complaint of bullying was complete.
The Applicant further submitted that while an OHS investigation is a lawful purpose when it is active, the medical report was collected after the investigation was completed. When Inspector Dall collected the health information on 15 December 2011, he could not have done so in relation to an alleged contravention of the OHS Act because his investigation had been completed on 7 December 2011. Accordingly, she argues, inspector Dall did not collect her health information for a lawful purpose.
She submitted that if Inspector Dall wished to rely on his authority under section 62 of the OHS Act, then he should have issued a section 62 notice because an informal, verbal section 59 request does not invoke the authority available to an inspector who has had the grounds to issues a written notice under section 62.
She further submitted that neither section 59 nor section 62 authorise an inspector to collect personal or health information. She points to sections 63, 66 and 137 of the OHS Act in support of her submission that neither section 59 nor section 62 contemplates the collection, voluntarily or by compulsion, of personal or health information.
Section 63 provides that an inspector may require a person to state their name and address if the inspector reasonably suspects that the person has committed an offence against the OHS Act. Section 66 provides that a person must not, without reasonable excuse, refuse or fail to comply with a requirement made by an inspector. Section 137 limits the disclosure of information obtained by inspectors under the OHS Act.
The Applicant contends that if sections 59 and 62 are read to include health or personal information, then section 63 would be redundant. She argued that section 63 authorises an inspector to collect personal information directly from the person concerned when the inspector reasonably suspects that the person concerned has committed an offence against the OHS Act. She says that this is a higher requirement than section 59, which does not require an inspector to have any grounds, or section 62, which requires an inspector to have reasonable grounds to believe a person can give information in relation to a possible contravention. If sections 59 and 62 contemplate/compel the collection of personal or health information, then section 63 would be redundant as the personal information could be collected /compelled with no grounds under section 59.
Further, she submits that if sections 59 and 62 contemplated the collection of health or personal information, then under section 137, personal and health information would have less protection than ordinary information. Section 137 prohibits the disclosure of manufacturing, commercial and working process information. The Applicant submitted that section 137 does not prohibit the disclosure of personal or health information because the collection of personal and health information under sections 59 and 62 is not authorised or contemplated.
The Applicant submitted that the requirement to comply with the HRIP Act or the Privacy and Personal Information Protection Act 1998 ("the PPIP Act ") would be a reasonable excuse for the purposes of section 66 and would permit non-compliance with an inspector's requirements.
She submitted that a correct interpretation of an inspector's power to compel information requires that sections 59 and 62 be read in the context of other relevant sections of the OHS Act, and therefore Inspector Dall was not authorised by sections 59 or 62 to collect the medical report by compulsion or otherwise.
The Applicant further submitted that the collection of her health information was not lawful because StateCover had unlawfully disclosed it to the Council, who unlawfully collected it, before unlawfully disclosing it to the Respondent.
She argued that that the purpose of the medical report was to determine the liability of her claim. She says that Dr Kar was not asked to comment specifically on claims of bullying because he is a psychiatrist, not an industrial relations expert, and his medical opinion had no relevance to the scope of the OHS investigation. It was not reasonably necessary for the investigation and therefore the Respondent's conduct was in breach of HPP1.
The Respondent's Case
The Respondent accepts that it "collected" the medical report from the Council. It submits that it did so in the course of an investigation under the OHS Act.
The Respondent relies on an affidavit provided by Inspector Dall in support of its contention that the medical report was collected for a "lawful purpose", specifically, the conduct of an investigation into an alleged breach of the OHS Act. The Respondent further contends that that purpose is directly related to a function or activity of the Respondent, including the administration and enforcement the OHS Act.
Further, the Respondent submits that it was reasonably necessary for Inspector Dall to obtain the medical report for his investigation into the Applicant's allegations of bullying as the medical report was obtained by StateCover specifically to comment on the Applicant's health and claims of bullying as part of her workers compensation claim.
Inspector Dall provided the following description of the circumstances in which he obtained the medical report and his use of the report:
On 6 December 2011, I had a meeting with [Council] representatives ... In the course of that meeting, it was revealed that the Applicant had made a workers compensation claim. I asked if liability was accepted or denied, and a [Council] representative replied that it had been denied. (I cannot recall precisely which person or persons told me this information.) I then asked why that had happened and requested confirmation. I asked the [Council] representatives to provide me with information, including any medical reports, relating to the workers compensation claim. At that meeting it was mentioned by [Council] representatives that a medical report had been prepared by a Dr Kar in regard to the workers compensation claim. ... I formed the view that it was relevant to the Applicant's complaint of bullying to have regard to the workers compensation claim and the reasons for the claim being denied, as the claim may have related to the conduct that the Applicant was complaining of.
I emailed the Applicant on 7 December 2011 in response to her email dated 30 November 2011. In my email I gave the Applicant my findings, to date, that I had reached in the investigation ... I informed the Applicant that I had formed the view that no breach of the OHS Act 2000 was made out. I said that my investigation was "complete" because, from a practical viewpoint, I had considered a wide range of information (including information provided by the Applicant) and had a sound basis for deciding to take no further action. I did not tell the Applicant that I was awaiting further material, such as medical reports, even though I intended that any further material would assist me in coming to a final decision in the investigation.
On 13 December 2011, I paid a visit to [the Applicant's workplace], as part of my role in the WorkCover Liaison Project with [the Council]. I met the following representatives of [the Applicant's workplace] ... Supervisor ... Centre Manager ... Safety Committee Representative ... We discussed general matters relating to health and safety at [the Applicant's workplace]. We also discussed bullying and whether or not it was occurring at [the Applicant's workplace]. We discussed, among other things, the need to ensure that normal activities were maintained for all personnel working in this environment, including the Applicant.
In the course of that on-site visit, I also briefly saw, and greeted, the Applicant, who was at work at the time. We did not have an in-depth conversation.
I also recall that around that time, I had a discussion [the Council's] Return to Work Co-ordinator. I believe that the discussion took place during the liaison visit to [the Applicant's workplace] on 13 December 2011, as [the Return to Work Co-ordinator] was also present during that liaison visit. I assumed that [the Return to Work Co-ordinator], due to her role at [the Council], would hold or have access to information that was relevant to my investigation. In the course of my discussion with [the Return to Work Co-ordinator], I said to her words to the effect that: "I request that you provide me with a copy of Dr Kar's medical report that relates to [the Applicant's] workers compensation claim. If you don't provide the information voluntarily, I will issue a section 62 notice."
A section 62 notice is a notice that compels the recipient to provide information or documents that relates to an alleged breach of the OHS Act 2000. (The notice is so-called because it is issued under section 62 of the OHS Act 2000.) My request for information in this instance was under section 59 of the OHS Act 2000, which gave inspectors a range of general powers to obtain information and documents relevant to an alleged breach of the OHS Act 2000.
On 15 December 2011, I received from [the Return to Work Co-ordinator] a medical report in response to my request under section 59 on 13 December 2011. The document which I obtained was a report dated 10 November 2011 prepared by Dr Prabal Kar, a consultant psychiatrist, at the request of StateCover ([the Council's] workers compensation insurer) in relation to the Applicant's workers compensation claim in regard to the alleged bullying. I considered Dr Kar's report, among other matters, when deciding whether to continue the investigation, or to conclude it. the medical report included his professional opinion on the Applicant's medical issues and his view that the Applicant did not have work-related medical issues, nor had the Applicant been bullied.
Based on all the material and information that I had obtained during my investigation, I concluded that it was manifestly clear that no breach of the OHS Act 2000 was made out. I therefore decided to close the investigation. I also wrote an entry entitled "Inspector's Report" dated 19 January 2012 ... in which I described my investigation, the materials that I had considered, and my conclusion that no further action was warranted ...
On 23 January 2012, Mr Paul Irwin ... reviewed my report on WSMS and wrote the words: "I agree with the actions taken by the inspectors with regards to this matter." ...
At no time did I disclose the medical report to any person outside WorkCover. The hard copy of the report is stored securely in WorkCover's archives and an electronic form is also securely stored. There is a reference to the report, and an extract taken from the report, in the WSMS entry ... I included this material on WSMS as it was, in my view, relevant to determining the issue of whether the conduct which the Applicant complained of indicated a possible breach of the OHS Act 2000 and whether bullying of the Applicant had taken place.
The Respondent contends that no breach of HPP 1 is established.
Discussion
I do not agree with the Applicant's submission in regard to the relationship between sections 59 and 62 of the OHS Act and sections 63, 66 and 137 of that Act. Sections 59 and 62 address powers of an inspector on entry that is authorised under the OHS Act. The circumstances under which entry is permitted is specifically limited by the Act.
In my view it is reasonable to anticipate that when a power to require the production of documents in relation to a possible contravention of the OHS Act or its regulations is exercised, some personal information might be captured by the request. There will inevitably be situations where breaches of the OHS Act have implications for workers' health. In such situations it is likely that health information could be captured by a request under sections 59 or 62 of the OHS Act.
I am satisfied that sections 59 and 62 of the OHS Act provide a lawful purpose for the collection of health information in relation to an OHS investigation.
In the circumstances of the present matter, the issue arises as to the significance of Inspector Dall's advice to the Applicant that his investigation was complete 7 December 2011. The Applicant reasonably questions whether the medical report has been obtained for the purposes of the investigation when the evidence shows that it was obtained after 7 December 2011.
Inspector Dall gave evidence that he requested copies of any medical reports relating to the Applicant's workers compensation claim at a meeting on 6 December 2011. This request would have captured the medical report and he clearly had not received it prior to his 7 December 2011 advice to the Applicant that his investigation was complete. Notwithstanding the advice that Inspector Dall gave to the Applicant on 7 December 2011, his investigation was clearly not complete. He intended to consider the further material that he had requested from the Council as part of his investigation and he did so. It is apparent that he had reached a preliminary view on 7 December 2011 and his view was ultimately adopted in his report "Inspector's Report" dated 19 January 2012.
Inspector Dall's evidence is that he formed the view that the reason for the refusal of the Applicant's workers compensation claim was relevant to the investigation of her complaint of bullying. Both matters concerned a complaint of bullying.
In SB v Roads and Traffic Authority [2010] NSWADT 255 I stated the view that the expression "reasonably necessary" must take on its natural meaning. I further stated at paragraph [35] that that the expression is meant to be something less than essential.
The Applicant has asserted that Inspector Dall was obligated by HPP 1 to determine in advance that any health information he proposed to collect would ultimately be relevant in some way, and it should be determinative of some factor relevant to the purpose of collection. I do not totally agree with this submission.
In my view, it is reasonable to expect that a request for the medical report was based on a conclusion that the report might be relevant to some factor in his investigation. However, without inspection the medical report he was not in a position to know the extent of its relevance and whether or not it would be determinative.
In my view, Inspector Dall's opinion that the medical report might be relevant to the investigation of the Applicant's complaint was reasonable. If the content of the report had assisted the Applicant's claim Inspector Dall would have been remiss in not considering it. The reverse must also apply.
In the circumstances, I agree with the Respondent that no breach of HPP 1 is established.
HPP 3
HPP 3 provides that an organisation must collect health information about an individual only from that individual, unless it is unreasonable or impracticable to do so. It is common ground that the Respondent obtained the medical report from the Council, and not from the Applicant.
The Applicant's Case
The Applicant concedes that she did not have a copy of the the medical report at the time Inspector Dall requested that he be given a copy. However, she submitted that the fact that StateCover had initiated the report, then disclosed it to Council did not relieve the Respondent of the obligation to collect the Applicant's health information directly from her. Further, she contends that it was not unreasonable or impracticable to ask her to obtain a copy.
She referred to the Australian Concise Oxford Dictionary definitions of the terms 'unreasonable' and 'impracticable' which are said to mean:
Impracticable: impossible in practice
Unreasonable: going beyond the limits of what is reasonable or equitable
The Applicant submitted that it was not "impossible in practice" or "beyond the limit of reasonable" for Inspector Dall to ask her for her health information. She said that she was present at her work place when Inspector Dall asked the Council representative for a copy of the medical report. While she accepts that she did not have a copy of the report, she says that she did have the capacity and the entitlement under the HRIP Act to consent or refuse to consent to:
- the disclosure by StateCover to the Council,
- the collection by the Council from StateCover
- the disclosure by the Council to the Respondent, and
- the collection by the Respondent from the Council.
The Applicant submitted that in order to justify an indirect collection of health information the Respondent is required to have a very serious or compelling circumstance. She contends that it did not and therefore the Respondent has contravened HPP 3.
The Respondent's Case
The Respondent acknowledges that it collected the medical report from a third party, and not from the Applicant. It argues that it was unreasonable or impracticable (and unnecessary) for Inspector Dall to collect the medical report from the Applicant as the medical report (or copies of it) were held by the Council and StateCover, and StateCover (as the workers compensation insurer of the Council) was the entity which instructed Dr Kar to prepare the report.
Further, the Respondent submitted that the Applicant did not, at the relevant time, have a copy of the medical report; therefore it could not have been collected from the Applicant. Inspector Dall had the legal power to require the Council to disclose the medical report to him, and did in fact exercise such power under section 59 of the OHS Act.
The Respondent submitted that no breach of HPP 3 is established.
Discussion
I agree with the Applicant's submission in regard to the meaning to be given to the expressions 'unreasonable' and 'impracticable'. In my view the expressions must take on their natural meaning.
I also agree with the Applicant that that it was not "impossible in practice" or "beyond the limit of reasonable" for Inspector Dall to ask the Applicant to obtain a copy of the medical report or to consent to him obtaining a copy from either the Council or StateCover.
If the Applicant had declined the request, Inspector Dall could have then considered his options. If he was satisfied that the medical report was reasonably necessary to allow him to complete his investigation, he could have advised the Applicant of that view. Armed with that knowledge, the Applicant could have then considered her own options. She might for example have agreed to Inspector Dall obtaining the report, she might have taken action to prevent the release of the medical report or she may have asked Inspector Dall to discontinue his investigation.
In the circumstances that transpired the Applicant was deprived of the opportunity to make any decision in relation to the provision of the medical report.
In my view, the Respondent has contravened HPP 3.
HPP 4
HPP 4 (2) provides that if an organisation collects health information about an individual from someone else, it must take any steps that are reasonable in the circumstances to ensure that the individual is generally aware of the matters relating to the collection.
It is common ground that the Respondent did not notify the Applicant of any of the matters referred to in HPP 4(1).
The Respondent's Case
The Respondent presented several arguments in regard to compliance with HPP 4.
The Respondent's Privacy Management Plan is available on its website.
The Privacy Management Plan sets out the information required by clause HPP 4(1), and includes specific references to the collection of personal and health information and the right to request access to such information.
The Applicant knew who the Respondent was and Inspector Dall was her designated contact person.
The Applicant knew she could request any information related to herself under the GIPA Act.
The Respondent was permitted to not comply with HPP 4 as the medical report was collected for law enforcement purposes. This was said to be related to criminal provisions in the OHS Act.
The Respondent submitted that although WorkCover inspectors are not "police officers" they do carry out "police-like functions" and may enforce criminal offence provisions.
Further, a prosecution of an alleged breach of the OHS Act is a form of "law enforcement" and an investigation which may lead to such a prosecution is necessarily conducted for "law enforcement purposes" and is directly related to those purposes.
Non-compliance with a direction ("or request") under section 59, or a notice issued under section 62 of the OHS Act, is a criminal offence under section 66 of the OHS Act, punishable by a fine. It is submitted that this indicates the compulsory or "police-like" nature of the functions conferred by these provisions in the OHS Act.
The Respondent contends that when carrying out his investigation into the matters raised by the Applicant (including collecting the medical report), Inspector Dall was specifically seeking to determine whether the evidence showed that a criminal offence under the OHS Act had been committed by the Council or other persons. The investigation was not carried out for some purpose that was unrelated, or only partly related to, the purpose of law enforcement.
For these reasons, the Respondent submits that the medical report was collected (and used) for law enforcement purposes within the meaning of HPP 4(4)(e), and therefore the Respondent was permitted not to comply with the requirements in HPPs 4(1) and 4(2). This remains the case even though no criminal prosecution was brought (since the inspector concluded that no breach of the OHS Act was shown on the evidence available).
Compliance with HPP 4 would limit the Respondent's ability to collect evidence and information.
The Respondent submitted that compliance with HPP 4 would place a significant restriction on the capacity of the Respondent's inspectors to carry out their investigative functions in a timely and efficient fashion. Compliance in all circumstances, even when the inspector was exercising lawful authority to collect evidence and information, would limit the Respondent's ability to investigate unsafe workplaces and practices and take appropriate enforcement action where necessary.
Inspector Dall had reasonable grounds to believe that StateCover had already notified the Applicant.
In relation to this ground, the Respondent submitted:
Inspector Dall indicates that he was aware that StateCover, the workers compensation insurer which handled the Applicant's claim, had referred the Applicant to Dr Kar for an assessment ... It is submitted that Inspector Dall had "reasonable grounds to believe" ... that the disclosing organisation (StateCover) had already notified the Applicant of the information in HPP 4(1). ... StateCover is a large organisation that is licensed by WorkCover under the Workers Compensation Act 1987 as a specialist workers compensation insurer and regularly processes workers compensation claims in the course of its business. Such claims routinely involve the collection and use of medical and health-related information concerning workers compensation claimants. Inspector Dall therefore had reasonable grounds to believe that StateCover had a process for informing claimants of the matters in HPP 4(1).
Indeed, as the Applicant herself had made a workers compensation claim with [the Council] in October 2011 ... and the referral to Dr Kar was done for the purpose of that claim, Inspector Dall had reasonable grounds to believe that StateCover, as the workers compensation insurer, had notified information of the kind referred to in HPP 4(1) to the Applicant.
The Respondent further notes that there is a "Privacy Policy and Collection Statement" ("StateCover Privacy Policy") on StateCover's wesbsite ... The StateCover Privacy Policy includes the statement (relevant text only is quoted):
"Personal information for the purposes specified above may be shared on a confidential basis with:
- government agents;
- police, law and credit enforcement bodies and agencies;
- other parties as required by law and/or
- the agent of any of these."
The Respondent notes that this text generally refers to the types of disclosures that may be made by StateCover, and the kinds of entities to whom disclosure may be made. The references to "government agents", "law enforcement bodies and agencies", "other parties as required by law" and/or "the agent of any of these" would include a reference to an inspector conducting an investigation under the OHS Act. ...
... The circumstances surrounding WorkCover's collection of the medical report indicate that there were such "reasonable grounds" [to believe" that StateCover had already notified the Applicant].
The Respondent submitted that no breach of HPP 4 is established.
The Applicant's Case
The Applicant relies on comments that I made in my decision in In KJ v Wentworth Area Health Service [2004] NSWADT 84, in support of her submission that the notification principle of the PPIP Act is for individuals to be able to give informed consent. The type of personal information at issue is relevant in determining whether an agency has taken such steps as are reasonable in the circumstances.
The Applicant disputed each of the Respondent's arguments in regard to compliance with HPP 4. She submitted that the arguments have no merit and some are frivolous.
She says that despite the promises of the Respondent's Privacy Management Plan, it was the fact that she knew who the Respondent was, that Inspector Dall was her designated contact person, and that she knew that she could request information related to herself under the GIPA Act that led her to discover that Inspector Dall had collected, used and disclosed the medical report.
The Applicant argues that the Respondent's assertion that the medical report was collected for "law enforcement purposes" is ludicrous as Inspector Dall did not conduct a criminal investigation, and he had found that there had been no contravention of the OHS Act before he collected the report. She says that the medical report was neither necessary for law enforcement purposes, nor any other of the Respondent's function.
With regard to the Respondent's assertion that compliance with HPP 4 would limit its ability to collect evidence and information, the Applicant submitted that the HPPs are supposed to limit the Respondent's ability to collect health information to what is lawful, reasonably necessary, directly related, relevant, not excessive, accurate, complete, non-intrusive, and not misleading.
With regard to the Respondent's assertion that Inspector Dall had reasonable grounds to believe that StateCover had already notified her, the Applicant submitted that the Respondent collected the medical report from Council, not StateCover. She submits that the argument therefore has no merit. She further stated that StateCover disclosed the medical report to Council for injury management purposes only.
The Applicant submitted that HPP 4(2) required the Respondent to "take any steps that are reasonable" to notify her that they had collected the medical report and what they were going to do with it. They did not take any steps to notify her of these matters, and therefore they have contravened HPP 4.
Discussion
I agree with the Applicant's submission in regard to purpose of HPP 4. For the reasons argued by the Applicant, I also agree that the Respondent's arguments are without merit.
HPP 4 required the Respondent to take any steps that are reasonable to notify the Applicant that they had collected the medical report and what they were going to do with it. They did not do so.
The medical report was not collected for "law enforcement purposes". There was no other reasonable reason for not complying with HPP 4.
In my view, the Respondent has contravened HPP 4.
HPP 5
HPP 5 sets out the Respondent's duties in relation to retention and security of the medical report. It is designed to ensure that agencies hold information securely, requiring that health information is protected by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse.
The Respondent's Case
The Respondent's evidence is that a hard copy of the medical report is retained securely in its archives. An extract from the medical report was included in the Respondent's investigations database, WSMS, which is password-protected and access to which is restricted to authorised the Respondent's personnel. The Respondent submitted that these arrangements fulfil the requirement in HPP 5(1)(c) that the Respondent have "such security safeguards as are reasonable in the circumstances" to protect against loss and unauthorised access.
The Respondent submitted that as a public office it is obliged under section 12 of the State Records Act 1998 "to keep full and accurate records of the activities of the office". It retains materials collected in investigations, generally for a period of 7 years as required under the State Records Act. It is submitted that the retention of records relating to investigations also contributes to the integrity, completeness and accuracy of the Respondent's investigative processes and ensures the proper accountability of inspectors and other personnel who are involved in the investigative process. The retention of records also permits the Respondent to properly address any inquiries that may arise in relation to an investigation, for example investigations by the NSW Ombudsman under the Ombudsman Act 1974, or applications made under the GIPA Act or applications for internal review under the PPIP Act or HRIP Act.
The Respondent submitted that neither the Applications nor the evidence filed by the parties reveals a breach of HPP 5.
The Applicant's Case
The Applicant contends that the Respondent don't know how many times the medical report has been copied, or who in the agency is holding it.
In support of this submission she referred to the Respondent's submission which note that a hard copy of the medical report is retained securely in the Respondent's archives and an extract from the medical report was included in the Respondent's investigations database. However, she compares this assertion with the comment in the Respondent's internal review determination relating to matter No. 133003 that:
one hard copy is held on investigation file 2011/017659. This file is scheduled for disposal in 2018 and is currently in archive. I also acknowledge that two electronic records exist. One electronic record is held with Inspector Dall, the other is held by WorkCover's Privacy Officer.
In his affidavit Inspector Dall's Affidavit stated:
At no time did I disclose Dr Kar's report to any person outside WorkCover. The hard copy of the report is stored securely in WorkCover's archives and an electronic form is also securely stored. There is a reference to the report, and an extract taken from the report, in the WSMS entry ...
The Applicant submitted that there are three different responses from three different representatives of the Respondent about who is holding the medical report. She argues that this does not indicate compliance with HPP 5(l)(c), which requires the Respondent to ensure that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse. She submitted that if the Respondent doesn't know who in the organisation is holding the medical report, the Tribunal could not be satisfied that it is securely stored and protected from unauthorised access and misuse.
The Applicant further submitted that the Tribunal could not be satisfied that the WSMS password protected data base is secure as someone accessed the WSMS data base and altered the complaint investigation file which contains an excerpt from the medical report.
Discussion
HPP 5 requires that the Respondent ensures that the medical report is protected, by taking such security safeguards as are reasonable in the circumstances. I have evidence that the Respondent's investigations database, WSMS, is password-protected and access to it is restricted to authorised personnel. I have no evidence in regard security safeguards in place to protect material held in the Respondent's archives however there is evidence that the report in the Respondent's archives is stored securely.
On the material before me, it is unclear how many copies of the medical report are held by the Respondent. It appears that it holds a hard copy and an extract taken from the report is contained the Respondent's investigations database. It is unclear how many copies of the medical report are held in electronic form. At least two copies have been identified but there could potentially be other copies.
I agree with the Applicant that if the Respondent is uncertain about how many copies of the report are held, it cannot be said that it had taken reasonable security safeguards to ensure that the information was protected against loss.
I am satisfied that the security safeguards are reasonable in the circumstances insofar as they concern the copies of the medical report held in the Respondent's investigations database and in the Respondent's archives. I find no contravention of HPP 5 in regard to the security of this information.
However, further evidence is needed in regard to what other copies of the medical report are held by the Respondent and in regard to the security of this information for the purposes of HPP 5.
HPP 6
HPP 6 sets out the Respondent's duty to take reasonable steps to enable a person to ascertain details in relation to the information held by the agency. HPP 6 is in similar terms to section 13 of the PPIP Act. Section 13 of the PPIP Act has been considered in a number of matters. An agency that holds personal information must take such reasonable steps to enable a person to ascertain details in relation to held information. The agency must, at the request of the individual to whom the information relates and without excessive delay or expense, provide the individual with access to the information.
The Respondent's Case
The Respondent relies on views expressed by the Tribunal's President in HW v Commissioner of Police, New South Wales Police Service and Anor [2003] NSWADT 214 at paragraph [58] where he observed that section 13 of the PPIP Act has to do with a systemic obligation owed by agencies generally to the community. It is designed to achieve transparency about the personal information an agency holds.
The Respondent submitted that it publishes information that is publicly available on its website, including its Privacy Management Plan, about its policies and procedures in relation to personal information and health information. The Privacy Management Plan has been available to the public since its first publication (including on the Respondent's website) and was available to the public during and after Inspector Dall's investigation.
Further, with respect to the Applicant's particular health information, the Respondent submitted that the Applicant was aware at all relevant times of the identity of Inspector Dall and was in a position to enquire as to the health information that the Respondent held, the purpose for which it was used and/or the Applicant's entitlement to request access to the information.
The Respondent submitted that no breach of HPP 6 is established.
The Applicant's Case
The Applicant submitted that she was denied the opportunity to exercise the rights given by other HPPs to have the greatest possible control over the flow of her health information. She submitted that the Respondent was obliged to take such steps as are reasonable in the circumstances, to tell her that it held a copy of the medical report, the purpose of use of the report, and her entitlement to request access to it.
She argues that the onus is on the Respondent to inform an individual of their entitlement, not on the individual to approach the organisation on the off chance the organisation had collected something, especially in circumstances like these, when she had no reason to suspect that the Respondent had collected and was holding the medical report.
She says that the Respondent was holding the medical report, and because of the nature of the report, any use of it would invade her privacy and damage her reputation, yet the Respondent took no steps to inform her of her rights.
She says that she was denied the opportunity to access and amend her health information. Therefore, she couldn't ensure that it was relevant, accurate, up to date, complete and not misleading for the purpose of the use that Inspector Dall proposed. Further, she submitted that she was unable to object to its collection under section 21 of the HRIP Act, or refuse to consent to its use and disclosure.
Discussion
The Respondent has correctly cited the reference to the decision in HW v Commissioner of Police, New South Wales Police Service and Anor. I agree with the views expressed by the President in regard to section 13 of the PPIP Act. Those views are equally applicable to HPP 6 of the HRIP Act.
It is not in dispute that the Respondent took no steps to inform the Applicant that it held a copy of the medical report, the purpose of use of the report, and her entitlement to request access to it. However, in my view that is not required by HPP 6.
I am satisfied that the steps taken by the Respondent to provide transparency generally to the community meet the requirements of HPP 6.
I agree with the Respondent that no breach of HPP 6 is established.
HPP 9
HPP 9 provides that an organisation that holds health information must not use the information without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading.
The Applicant's Case
The Applicant asserted that Inspector Dall did not notify her that he had collected the medical report or that he was holding it. Therefore she was unable to exercise her entitlements under HPPs 7 and 8 to access and amend the information, or to object to its use, or to request an internal review under section 21 of the HRIP Act.
She says that the Respondent merely assumed that the report was relevant and it assumed that the report was accurate, complete, and not misleading simply because Dr Kar is a medical specialist. However, she contends that the assumption of relevance was not borne out. She further says that the information that the Respondent obtained about her health, family, education, work, marriage, and lifestyle, as well as Dr Kar's opinion on whether or not she had sustained an injury at work could not have enlighten Inspector Dall on the question of whether the Council had an adequate bullying policy, and whether it had been followed.
She contends that there is reason to doubt the accuracy of Dr Kar's opinion. She says that while the medical report may be complete in itself, it is not a complete picture of her health in regard to her work related injury. It only represents the insurer's position. She submitted that treating it as a comprehensive, objective and informed opinion is a misleading use of her health information.
In regard to the proposed purpose of use, the Applicant referred to Inspector Dall's evidence that he proposed to use the medical report to assist him in coming to a final decision in the investigation. However she contends that Inspector Dall's actual use was to validate his finding. She says that the report was not relevant to Inspector Dall's investigation because Dr Kar was not asked, and nor was he qualified, to give an opinion on bullying. She further says that her life history and her health were not relevant to the adequacy of the Council's policies and procedures.
The Applicant referred to views expressed by Judicial Member Higgins in regard to section 16 of the PPIP Act in JD v Director General, NSW Department of Health (No.2) [2004] NSWADT 227, at paragraph [66]. Section 16 of the PPIP Act is in similar terms to HPP 9. The Judicial Member stated:
66 ... where personal information held by an agency is to be used for a purpose that is adverse to the interests of the person concerned, then s.16 of the PPIP Act places a higher threshold on an agency to ensure that the information is relevant, accurate, up to date, complete and not misleading. Although, in a general sense, I agree with the submissions of Ms Thomas that s.16 does not place an onus on an agency to research and investigate every aspect of personal information that it holds before it is used. However, the section does place an obligation on agencies, if seeking to use personal information that they hold, to consider whether steps (i.e. reasonable steps) need to be taken to check the accuracy etc. of that in formation before it is used and if steps do need to be taken to ensure that they are taken.
The Applicant contends that HPP 9 required the Respondent to do some checking before it used the medical report. She says that the Respondent merely made assumptions and that this does not accord with the obligation that the Respondent owed her.
The Respondent's Case
The Respondent submitted that when Inspector Dall commenced the investigation into the Applicant's complaints of bullying, an intrinsic part of the investigation was to gather factual material from relevant sources, including (but not confined to) from the Applicant. An inspector cannot necessarily determine in advance with certainty whether information or documents which he or she proposes to collect will ultimately be relevant to the investigation.
Inspector Dall collected the medical report after learning of its existence from Council representatives. He assumed that the medical report would have relevance to the investigation of alleged bullying under the OHS Act as it related to the Applicant's workers compensation claim against the Council. After collecting the medical report, Inspector Dall considered it, along with other evidence that he had received.
The Respondent further submitted that as the medical report was prepared by a properly qualified medical practitioner, Inspector Dall was justified in assuming that the medical report was the product of a skilled professional and contained information that was reasonably reliable, accurate, complete and not misleading.
Further, it argued that the medical report was a product of a specialist medical professional and had been commissioned and used previously by StateCover in its investigations. Also, the medical report was dated 10 November 2011 and therefore it was "up to date" at the time the report was collected and used in December 2011 and January 2012. The medical report was just one piece of a broader range of evidence that was considered by Inspector Dall during the investigation. It was neither the only piece of evidence nor was it determinative in and of itself.
The Respondent submitted that HPP 9 is not intended to be used to make collateral challenges to an agency's decisions. It referred to views expressed by Judicial Member Molony in QB v Greater Southern Area Health Service [2011] NSWADT 90 where he found at paragraph [114] that if an opinion about a person's health is honestly held, then it is not "inaccurate", even if the individual concerned disputes the opinion. It submitted that there is no evidence that Dr Kar did not honestly hold the opinions expressed in the medical report, or that Inspector Dall had reason to question the opinion.
The Respondent submitted that no breach of HPP 9 is established.
Discussion
I agree with the Respondent that HPP 9 did not require Inspector Dall to determine the relevance of the medical report at the time he was gathering evidence for the purposes of his investigation.
The report was produced shortly before it was obtained by the Respondent. In my view the report was "up to date" at the time it was collected and used.
I also agree that there was no reason for the Respondent to doubt that Dr Kar honestly held the opinions expressed in the medical report. I accept that the Applicant does not agree with the opinions expressed in the medical report but it does not follow that it is inaccurate for the purposes of HPP 9.
I agree with the Respondent that no breach of HPP 9 is established.
HPP 10
Pursuant to HPP 10 the Respondent can only use health information for the purpose for which it was collected, or a directly related purpose that the Applicant would expect. Otherwise it can only use it with the Applicant's consent (unless one of the exemptions in HPP10 applies).
The Respondent's Case
The Respondent contends that it was holding the medical report for the primary purpose of conducting an investigation into alleged OHS breaches by the Council. It says that the report was not used for any secondary purpose. The Respondent was therefore acting within the scope of the introductory sentence of HPP 10(1).
In the alternative, the Respondent contends that Inspector Dall's use of the medical report was "reasonably contemplated" by the OHS Act. Inspector Dall used the medical report pursuant to section 59 of the OHS Act (and, by implication, section 62 of the OHS Act, if required) in order to investigate the matters complained of and to determine if a breach of a provision of the OHS Act had occurred.
The Respondent relies on views that the Appeal Panel expressed in regard to section 25(b) of the PPIP Act in PN v Department of Education and Training [2010] NSWADTAP 59 ("PN"). Subsection 25(b) of the PPIP Act provides that an agency is not required to comply with various provisions if non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law. This is in identical terms to HPP 10(2)(b). The Appeal Panel considered the appropriate approach to applying section 25(b) and stated at paragraphs [54] to [60]:
54 Further, we do not think that the task required of the Tribunal in deciding whether or not s 25 is applicable requires it to go so far as to make a microscopic comparison of an alternative law to which an agency refers in justification. Section 25 is expressed in broad language. It is enough that 'non-compliance is reasonably contemplated' by the other law.
55 The Tribunal is called upon, as we see it, to consider the subject matter of the alternative law and ask itself, first, is this the kind of subject matter with which a relevant IPP is concerned in the circumstances of the case before it.
56 Necessarily, the workers compensation regime involves the management of personal information. Moreover, the workers compensation regime has detailed provisions allowing movements of information between a number of parties who have a business role in the management of workers' injuries and the determination of claims.
57 In our view, it is enough for s 25(b) to apply that the transactions in issue (here, one instance of indirect collection and otherwise disclosures) are of a type that is contemplated by the regime; and that they are genuinely undertaken for the purpose of the scheme. Whether something is 'reasonably contemplated' is a factual determination for the trial tribunal to make, only vulnerable to appeal as an error of law on narrow grounds, such as no evidentiary basis for the finding or because the finding is one no rational tribunal could make. This is clearly not a case of that kind.
58 If the Department has breached the guidelines or the statutory provisions in the way it carried out its obligations under the workers compensation regime, as PN's submissions suggest, those are matters to be dealt with through the complaints mechanisms that the workers compensation regime has. The breaches are not open to be litigated within the framework of the privacy legislation.
59 The Tribunal's task is simply to make a broad judgement as to whether s 25 applies. The protection given to an agency by s 25 is not lost simply because the agency has failed to comply, in some aspect of the detail, with a requirement of the other law.
60 If the strict view pressed by PN were to be adopted, privacy cases raising s 25 would give rise to a detailed collateral inquiry into whether the agency had strictly complied with the alternative regime. We do not think that the words of s 25 support such a conclusion, and engagement by the Tribunal in a collateral inquiry would defeat the evident purpose of s 25.
The Respondent submits that the collection and use of the medical report for the purposes of investigation were transactions of a type "contemplated" by the investigative and enforcement regime in the OHS Act, and were "genuinely undertaken for the purpose" of that regime. It argues that Inspector Dall did not collect, or use, the medical report for any other purpose. The exception in HPP 10(2)(b) is therefore applicable if the relevant "use" of the medical report does not fall within the scope of HPP 10(1) (which the Respondent denies).
The Respondent submits that no breach of HPP 10 is shown.
The Applicant's Case
The Applicant contends that the Respondent breached HPP 10 with respect to the use of her health information. She says that the medical report was collected and used for the purpose of validating an unsound finding and attacking her. She says that consent is a key consideration in the use of health information and that she did not consent to any use of the report by the Respondent.
The Applicant further contends that the OHS Act does not contemplate the collection of health information, and therefore the exception in HPP 10(2)(b) is not applicable.
Discussion
I agree with the Respondent that it held the medical report for the primary purpose of conducting an investigation into alleged OHS breaches by the Council. This is a transaction of a type "contemplated" by the OHS Act and therefore the exception in HPP 10(2)(b) is applicable. On the evidence before me I am satisfied that Inspector Dall did not collect, or use, the medical report for any other purpose.
That being the case, I agree with the Respondent that no breach of HPP 10 is established.
HPP 11
HPP 11 prohibits disclosure of health information other than for certain purposes described in HPP 11(1), and subject to certain exceptions in HPP 11(2), 11(3) and HPP 11(4).
The Respondent's Case
The Respondent denies that there was any disclosure of the Applicant's health information. The Respondent acknowledges the Applicant's assertion that Inspector Dall "disclosed" the medical report to his supervisor, Mr Irwin. However, it submits that as both Inspector Dall and Mr Irwin were officers of the Respondent the flow of information between them was not "disclosure" within the meaning of HPP 11. It argued that "disclosure" requires that the information be given to a person outside the agency.
The Respondent referred to the view that I expressed in my decision in LN v Sydney South West Area Health Service (No 2) [2010] NSWADT 38 where I stated at paragraph [71]:
71 ... Principle 11, which places limits on the disclosure of health information, concerns the external as distinct from internal use of information. ...
Further, the Respondent submitted that even if a "disclosure" did occur, then such "disclosure" was of a kind that was "reasonably contemplated" under another Act (that is, the OHS Act), and therefore permitted under HPP 11(2)(b). It contends that this is the case because both Inspector Dall and Mr Irwin were engaged in official functions for the purpose of an investigation under the OHS Act and transferred the relevant information between themselves for such a purpose.
In support of that contention the Respondent referred to the view that the Appeal Panel expressed in PN v Department of Education and Training [2010] NSWADTAP 59, at paragraphs [54] to [60] which are set out above.
However, the Respondent maintains that no "disclosure" within the meaning HPP 11 took place in any case. Therefore, it submits that no breach of HPP 11 is shown.
The Applicant's Case
The Applicant contends that the Respondent breached HPP 11 with respect to Inspector Dall's provision of the medical report to Mr Irwin. The Applicant does not make any allegation that the report was disclosed to a person outside the Respondent.
The Applicant submits that the finding in LN is not applicable because the circumstances in LN's case are so dissimilar to those in this matter. She further submits that precedents exist for finding that disclosures within an agency are contraventions of the disclosure principle in some circumstances: KJ v Wentworth Area Health Service [2004] NSWADT 84.
The Applicant submits that in this case, when Inspector Dall wrote his report on the Respondent's database, he disclosed her health information to Mr Irwin and any other person who reads his report. She further submitted that she did not consent to the disclosure.
The Applicant further contends that the OHS Act does not contemplate the collection of health information, and therefore the assertion that the OHS Act reasonably contemplated the disclosure is not justified.
Discussion
The evidence of Inspector Dall is that the medical report was not disclosed by the Respondent (or any of its representatives) to a person outside the Respondent. The medical report, or extracts from it, was only transferred between certain specific, and authorised, individuals within the Respondent.
The Applicant does not dispute that evidence. She challenges the Respondent's argument that there can be no contravention of HPP 11 if the medical report was not disclosed to a person outside the Respondent.
I agree with the Respondent and with the view that I expressed in LN v Sydney South West Area Health Service (No 2) [2010] NSWADT 38 that HPP 11 concerns the external disclosure of health information, as distinct from internal use of information.
In the circumstances of this matter there was no external disclosure of the medical report. It follows that I agree with the Respondent that no breach of HPP 11 is established.
Conclusion
As I have indicated above, I find that the Respondent has acted in breach of some of the HHPs. The parties have not made submissions with respect to what, if any, orders should be made in relation to the breaches. In the circumstances it is appropriate that the matters be listed for a further planning meeting so that a timetable can be set regarding the further conduct of the matters.
Order
The matters are to be listed for a planning meeting at 9.30 am on 17 June 2014.
I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.
Registrar
Decision last updated: 24 April 2014
7
8
7