BZX v Western Sydney Local Health District,; BZY v Western Sydney Local Health District; BZZ v Western Sydney Local Health District

JUDGMENT

1. These proceedings concern the alleged breach of privacy of the applicants by the respondent (“the Health District”), in circumstances where an employee of the Health District gained unauthorised access to the applicants’ health information through the Health District’s computer system. The applicants’ case is that the employee then disclosed that information to the Child Support Agency and Family Court in proceedings between himself and one of the applicants.

2. The applicants, who are family members, made three separate applications for review of the conduct of the Health District. By consent, those applications were heard together.

3. One of the applicants is the ex-wife of an employee of the Health District (“the Nurse”). It is common ground that the Nurse accessed the medical records of his ex-wife and her family for his personal purposes, without the consent of the individuals concerned, on an electronic database of the Health District called “Cerner.”

4. Cerner may only be accessed by means of a username and password. The Nurse does not have a username or password to access Cerner. The applicable NSW Health policy provides that employees should keep their passwords confidential and should never leave their workstation unattended while logged in.

5. In the early morning of 14 August 2015, whilst on night duty, the Nurse found that a computer in a hospital operated by the Health District had been left logged on to Cerner. Between 2.42 am and 3.04 am on that day, the Nurse accessed the applicants’ records on that computer whilst it was logged in to Cerner in another staff member’s name.

6. The Nurse and his former wife have a child together and, at the time the records were accessed, they had a matter before the Child Support Agency and a matter before the Family Court.

7. The Nurse provided the heath information of his ex-wife and her family members to the Child Support Agency and to the Family Court in an affidavit. He alleged that his ex-wife had her mother living with her, that her mother had a long history of mental illness and this had a negative impact on their child. He also alleged that his ex-wife’s brothers had been charged with drug and alcohol abuse and that one of her brothers had been taken to hospital due to drug related behaviour.

8. The applicants’ evidence was that the information provided by the Nurse to the Child Support Agency included that a drug, urine and blood test had been carried out on one of his ex-wife’s brothers at a hospital operated by the Health District in January 2013. The Nurse said that this information was provided to him by a friend working at the hospital, but he declined to provide the name of the friend.

9. In an interview the Health District conducted with the Nurse, the Nurse said that he was aware of the health information contained in the statement to the Child Support Agency and the affidavit filed in the Family Court before accessing any information about his ex-wife or her family on the Health District’s electronic database. He said it was known to him because of his personal relationship with the applicants.

Review of conduct

1. The applicants applied for internal review of the Health District’s conduct. The internal review officer determined that the information in question was the applicants’ “health information” within the Health Records and Information Privacy Act 2002 (NSW).

2. The internal review officer found that the Health District had contravened Health Privacy Principle (“HPP”) 5 – Retention and Security, because the staff member who failed to log out when she left her workstation failed to comply with the agency’s policy.

3. The internal review officer found, however, that the Health District had not breached the use and disclosure principles (HPP 10 and HPP 11). In relation to HPP 10, the internal review officer found that the Nurse accessed the applicants’ electronic health care records for his own personal reasons and that this was not conduct of the agency. The officer relied upon Director General, Department of Education and Training v MT (2006) 67 NSWLR 237 for the proposition that the Health District is not responsible for the use of information for a purpose extraneous to any purpose of the agency.

4. In relation to the alleged unlawful disclosure of the applicants’ health information to the Child Support Agency, the internal review officer found that this was not a disclosure of information, because the Nurse had personal knowledge of this information prior to accessing Cerner. The information was, in the officer’s opinion, “based on [the Nurse’s] own personal knowledge of his personal relationships with the applicants.” The internal review officer also found that any disclosure of information by the Nurse could not be attributed to the Health District, as it was disclosed for the Nurse’s personal purposes.

5. The applicants sought review in the Tribunal of the Health District’s conduct. The parties consented to the Tribunal determining on the papers the issue of whether the respondent is liable for breach of the use or disclosure principles. I made an order dispensing with a hearing pursuant to s 50(2) of the Civil and Administrative Tribunal Act, as I was satisfied that the issues for determination could be adequately determined in the absence of the parties by considering written submissions and other documents or material lodged with or provided to the Tribunal.

Relevant privacy principles

1. It is not in dispute that the information the subject of these proceedings is the applicants’ health information. As the internal review officer found, it is therefore the health privacy principles, in Sch 1 to the Health Records and Information Privacy Act, which are engaged.

2. Health Privacy Principle 5(1)(c) in Sch 1 to the Health Records and Information Privacy Act provides:

   “5 Retention and security

   (1) An organisation that holds health information must ensure that:

   …

   (c) the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and…”

3. Health Privacy Principle 10 in Sch 1 to the Health Records and Information Privacy Act provides:

   “10   Limits on use of health information

   (1) An organisation that holds health information must not use the information for a purpose (a secondary purpose) other than the purpose (the primary purpose) for which it was collected unless:

   (a) Consent

   the individual to whom the information relates has consented to the use of the information for that secondary purpose, or…”

4. Health Privacy Principle 11 in Sch 1 to the Health Records and Information Privacy Act provides:

   “11 Limits on disclosure of health information

   (1) An organisation that holds health information must not disclose the information for a purpose (a secondary purpose) other than the purpose (the primary purpose) for which it was collected unless:

   (a) Consent

   the individual to whom the information relates has consented to the disclosure of the information for that secondary purpose, or…”

5. The Tribunal’s task is to decide what the correct and preferable decision is having regard to the material before it, including any relevant factual material and any applicable law (Administrative Decisions Review Act 1997 (NSW), s 63(1)).

Confidentiality Orders

1. The Tribunal routinely anonymises the names of applicants in privacy matters (see NCAT Administrative and Equal Opportunity Division Procedural Direction 9: Publication, Anonymisation and Suppression, cl 4.2(b)). This practice recognises that the publication of an individual’s name may be a disincentive to bringing proceedings for review under the privacy legislation, in circumstances where the individual’s privacy is the subject of the proceedings. In many cases, the publication of the name of an individual who is applying for a review of conduct under the privacy legislation would undermine the purpose of the review and the legislative intention of protecting individuals’ privacy.

2. In this case, having regard to these considerations and to the factual circumstances of this case, I am satisfied that it is desirable to make an order under s 64(1)(a) of the Civil and Administrative Tribunal Act 2013 (NSW) prohibiting the publication of the names of the applicants in proceedings 1510230, 1510231 and 1510232. I make that order.

Parties’ submissions

1. The applicants contended that the Health District erred in its findings that it had not contravened HPP 10 or HPP 11. In response to the agency’s reliance on Director General, Department of Education and Training v MT (2006) 67 NSWLR 237, the applicants maintained that this decision did not mean that the Health District could be absolved from blame. They submitted that, in addition to its obligations in HPP 10 and HPP 11 not to misuse health data, the Health District had an obligation to keep that data reasonably secure and had not done so. One of the ways in which it could keep data secure, in the applicants’ submission, was by properly punishing staff who violated patients’ privacy. The applicants said that it had failed to do this in the case of the Nurse.

2. In relation to the internal review officer’s finding that the Nurse had not disclosed the applicants’ health information, the applicants submitted that the Nurse was likely to have relied upon the information he accessed on Cerner when describing his ex-wife’s mother as suffering from “a long history of mental illness.” The applicants point out that the definition of “health information” includes an individual’s mental health (Health Records and Information Privacy Act, s 6).

3. The applicants submit that the information provided to the Child Support Agency by the Nurse in October 2014 could not be solely based upon his personal knowledge of the applicants, since he had been separated from his ex-wife since May 2012. They submitted that the information about the drug, urine and blood test upon one of the applicants was likely to have come from Cerner. They said that the Nurse’s claim that a friend provided him with that information was “uncorroborated and unsubstantiated” and that the Nurse’s truthfulness should be doubted.

4. In any event, the applicants submit that the privacy legislation does not have a “carve out” when a person uses information wrongfully obtained if there is a possibility that they could have obtained the information in another way. It states, in the applicants’ submission, that if someone obtains information and uses it, they are liable.

5. The Health District made submissions which were consistent with the internal review findings. Its principal argument was that it was not liable for breaching HPP 10 or 11, by application of the principles in Director General, Department of Education and Training v MT (2006) 67 NSWLR 237. It relied upon the proposition expounded by Spigelman CJ at 247 [43] that:

   “Where, as here, the ‘use’ or ‘disclosure’ of information was for a purpose extraneous to any purpose of the Department, it should not be characterised as ‘use’ or ‘disclosure’ by the Department or conduct of the Department. It is not appropriate to adopt a rule of attribution that extends so far.”

6. The Health District said that the use and disclosure of the applicants’ health information by the Nurse was for his personal and private purposes. The Health District submitted further that if an employee had disclosed information to the Nurse about blood and urine tests conducted upon one of the applicants, this was not conduct attributable to the Health District for the same reasons.

Consideration

1. I accept the Health District’s primary submission that the conduct of the Nurse in accessing and disclosing the applicants’ health information is not conduct of the Health District for the purposes of the Health Records and Information Privacy Act. This is because the Nurse accessed the applicants’ health information contrary to the applicable policy of the Health District and for his own private purposes. He also provided that information to the Family Court and Child Support Agency for purposes extraneous to the agency. In these circumstances, his conduct cannot be attributed to the Health District on the authority of Director General, Department of Education and Training v MT (2006) 67 NSWLR 237.

2. It is not therefore necessary to determine whether the information the Nurse provided to the Child Support Agency, and possibly also to the Family Court, was information known to him already, or information he obtained wholly or partly from Cerner.

3. I also find that, if a staff member did provide the Nurse with information about a drug and urine test conducted upon one of the applicants, this was for a purpose extraneous to the agency and it was not conduct attributable to the agency: Director General, Department of Education and Training v MT (2006) 67 NSWLR 237. It is not necessary to determine whether this in fact occurred, because in either case, the agency has not breached HPP 11.

4. For these reasons, I find that the Health District has not contravened HPP 10 or HPP 11.

Remaining issues to be determined

1. It was anticipated by the parties that, after determining the Health District’s liability for the alleged breaches of HPP 10 and HPP 11, the Tribunal would then consider separately whether to make any of the orders contemplated by paragraphs (a) to (g) of s 55(1) of the Privacy and Personal Information Protection Act 1998 (NSW), which provide remedies to the applicants. As indicated earlier in these reasons, the Health District concedes that it has breached HPP 5.

2. The Tribunal is not bound by a party’s concession because it is conducting a merits review: University of New South Wales v PC [2008] NSWADTAP 26 at [49]-[51]; Forster v Repatriation Commission (2015) 144 ALD 624 at 634 [51]; Repatriation Commission v Warren (2008) 167 FCR 511 at [78]. The task of determining what is the “correct and preferable decision” pursuant to s 63 of the Administrative Decisions Review Act requires the Tribunal to consider, for itself, whether there has been a breach of HPP 5.

3. The Tribunal’s preliminary view is that the reasoning upon which the Health District relied does not support a finding that the Health District contravened HPP 5. Its reasoning, which is not developed in any detail, appears to be that, because a staff member breached the applicable policies requiring her to log out of Cerner when away from her workstation, it follows that the Health District breached HPP 5(1)(c). HPP 5(1)(c) requires an agency to take “such security safeguards as are reasonable in the circumstances” to protect health information. This provision is, in my view, primarily directed at the systems and policies an agency has in place to protect health information. It does not necessarily follow from the loss or disclosure of information by an agency or a staff member, or the failure of a staff member to comply with a policy, that the agency’s security safeguards are inadequate: XW v Department of Education and Training [2009] NSWADT 73 at [91]; BE v University of Technology, Sydney [2008] NSWADT 139 at [78]-[79].

4. The Tribunal has not yet considered the applicants’ argument that the alleged lack of action taken by the Health District against the Nurse is indicative of the Health District’s failure to take reasonable security safeguards to protect health information.

5. The remaining issues to be determined are whether the Health District contravened HPP 5 and the orders the Tribunal should make if it finds a contravention. The matter will be listed for a further planning meeting for the purposes of giving the parties an opportunity to provide evidence and make submissions about those issues.

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.
Registrar