Carol Sandland v Australian Capital Territory t/as Canberra Health Services

Case

[2023] FWC 3389

19 DECEMBER 2023


[2023] FWC 3389

FAIR WORK COMMISSION

DECISION

Fair Work Act 2009

s.394—Unfair dismissal

Carol Sandland
v

Australian Capital Territory t/as Canberra Health Services

(U2023/2130)

COMMISSIONER MCKINNON

SYDNEY, 19 DECEMBER 2023

Application for an unfair dismissal remedy – whether dismissal harsh, unjust or unreasonable

  1. For approximately 6 years and 4 months, Ms Carol Sandland was employed by Canberra Health Services (CHS) on behalf of the Australian Capital Territory (ACT) Government. She worked as an Enrolled Nurse at the Dhulwa Secure Mental Health Facility (Dhulwa) until 24 February 2023, when she was dismissed for serious misconduct.

  1. On 15 March 2023, Ms Sandland applied in time for an unfair dismissal remedy under section 394 of the Fair Work Act 2009 (the Act). Ms Sandland is protected from unfair dismissal: at the time of dismissal, Ms Sandland’s gross annual salary was below the high income threshold; she had completed the minimum employment period of 6 months; and the ACT Public Sector Nursing and Midwifery Enterprise Agreement 2020-2022 (the Agreement) applied to her employment. The Small Business Fair Dismissal Code did not apply to the dismissal because the ACT Government is not a small business employer. The dismissal was not a case of genuine redundancy.

  1. The question is whether the dismissal of Ms Sandland was harsh, unjust, or unreasonable. I am satisfied that the dismissal was unreasonable. It follows that Ms Sandland has been unfairly dismissed. Compensation is to be the appropriate remedy in the circumstances. These are my reasons.

Relevant background

  1. Dhulwa is a mental health facility charged with the care of people with mental illness who have been in the criminal justice system. Its patients often have complex mental health needs and may engage in violent or other unsafe behaviours. There is no doubt that it is a challenging environment for all concerned, including management, employees, and patients.

  1. Ms Sandland’s employment at Dhulwa typically involved patient engagement and assessment, administering medication, daily living care and liaison with other employees and health professionals. In addition to her nursing duties, Ms Sandland was a Health and Safety Representative (HSR) and delegate of the Australian Nursing and Midwifery Federation (ANMF). In these roles, she was responsible for assisting and advocating on behalf of workers at the facility about industrial and safety matters.

  1. The ANMF also had its own separate channels through which it worked with CHS management to support members working at Dhulwa. This included an established practice by which CHS confidentially shared information with the ANMF about incidents at the facility and broader operational and systemic issues.

  1. On 13 February 2022, Ms Sandland was assaulted at work by a patient. After a short period of absence, she commenced a graduated return to work in March 2022. Over the course of the year, Ms Sandland’s relationship with local management became increasingly difficult. She thought they were incompetent, anti-union, did not follow their own policies, and played favourites. By early 2023, she felt she was being excluded and “set up” – a perception likely reinforced by an email from Mr Sam Oram of the ANMF on 13 December 2022 in which he warned Ms Sandland that her emails were being audited. There is no evidence that this was true at the time.

  1. Ms Sandland had a particularly strained relationship with the Assistant Director of Nursing, Ms Peta Kleinig. She felt that her approaches to Ms Kleinig were ignored. When she did receive responses to her queries, she perceived them as “B.S.” (or in its long form, “bullshit”). Ms Sandland regularly shared her concerns about Dhulwa’s management to the ANMF, including with forwarded internal communications and/or supporting documentation. In the process, Ms Sandland disclosed confidential information about patients of Dhulwa to the ANMF. She also sent confidential information about patients to her two private email accounts. She was not authorised to do either of these things.

The events leading to dismissal

  1. In January 2023, CHS became aware that Mr Oram had a high level of knowledge about a particular patient at Dhulwa. It suspected breaches of patient privacy by Ms Sandland. An audit of her emails for the two days prior[1] revealed 3 emails to Mr Oram on 19 January 2023 disclosing the patient’s name, location and progress notes, and a similar disclosure by another employee at Dhulwa. The audit of Ms Sandland’s emails was then expanded to cover a period of approximately 12 months, through which additional disclosures were identified.

  1. On 8 February 2023, a letter was sent to Ms Sandland from Ms Kalena Smitham, CHS Executive Group Manager, People & Culture. The letter was headed “Re: Proposed Summary Termination of Your Employment”. Ms Sandland was advised that a preliminary assessment process had been initiated under clause 117 of the Agreement to determine whether further action was required, due to her alleged inappropriate behaviour. A decision had been made not to refer the matter to the Professional Standards Unit (PSU) for investigation and instead to propose the summary termination of her employment.

  1. The allegations against Ms Sandland all related to her forwarding of emails containing patient information to the ANMF and to her private email accounts. This conduct was generally described as “instances of serious breaches of the Health Records (Privacy and Access) Act 1997” (ACT) (the Health Records Act), which were said to constitute offences under the Health Records Act and thus to be criminal acts for the purposes of the Criminal Code Act 1995 (Criminal Code).

  1. Ms Sandland’s conduct was also alleged to be in breach of her obligations under:

  1. Section 9 of the Public Sector Management Act 1994 (ACT) (the PSM Act), which required her to follow the laws of the ACT and to treat all people with courtesy and sensitivity to their rights,

  2. Standards 1.1 and 2 of the Enrolled nurse standards for practice (the Standards), which obliged her to demonstrate knowledge and understanding of Commonwealth, State and/or Territory legislation and common law pertinent to nursing practice; to practice nursing in a way that upheld the rights, confidentiality, dignity and respect of people; and to ensure privacy, dignity and confidentiality when providing care, and

  3. The CHS Clinical Records Management Policy (CRM Policy), under which all staff were responsible for the security of personal health information captured and used by CHS. The Policy required staff to limit the sharing of personal health information to members of the treating team, health service providers involved in the care of the patient, and other authorised persons.

  1. Ms Sandland was suspended with pay and asked to show cause why her employment should not be terminated. Her response was sought by 15 February 2023. The response period was subsequently extended to 22 February 2023 at the request of the ANMF, which was one week less than the ANMF had requested.

  1. Inexplicably, neither Ms Sandland nor the ANMF (on her behalf) responded to CHS by the extended deadline of 22 February 2023, either by providing a substantive response or by making another request, such as for additional time or for more information.

  1. On 24 February 2023, Ms Sandland’s employment was terminated on the grounds of serious misconduct. The letter of termination confirmed the views earlier expressed by Ms Smitham that Ms Sandland’s actions:

  1. were in breach of section 6(1) of the Health Records Act,

  2. failed to demonstrate “reasonable care and diligence” as required in accordance with sub-section 9(1)(d) of the PSM Act,

  3. were inconsistent with her position as a registered health professional in appropriately handling and protecting sensitive information,

  4. undermined the integrity of CHS’s handling of personal health information,

  5. were inconsistent with the continuation of her contract of employment due to the inherent connection between the nature of her conduct and her position as a registered health professional,

  6. caused reputational risk to CHS, particularly in the context of open disclosure, and

  7. were “considered a criminal act” under the Criminal Code and the Health Records Act.

  1. The wrong “Attachment A – Reasons for Proposing to Summarily Terminate” was attached to the letter of termination. This was not an insignificant error in the sense that Attachment A set out the detail of CHS’s reasons for the summary dismissal of Ms Sandland. Those same reasons had, however, been set out in the letter of 8 February 2023, to which the letter of termination referred. The error was corrected on 28 February 2023.

  1. After the dismissal, CHS reviewed the records it had obtained from the audit of Ms Sandland’s emails again in connection with this proceeding and identified further emails of concern sent by Ms Sandland from her work email account.

The regulatory framework

The Agreement

  1. Section O of the Agreement is titled “Workplace Values and Behaviours”. It deals comprehensively with procedures for managing misconduct or alleged misconduct by an employee. Serious misconduct is described as “conduct that is so serious that it may be inconsistent with the continuation of the employee’s employment with the Territory”. For the purposes of the Agreement, “serious misconduct” has the meaning given to it by Regulation 1.07 of the Fair Work Regulations 2009 (the Regulations). The full text of Regulation 1.07 is set out in the Annexure to this decision.

  1. While Section O of the Agreement contains comprehensive disciplinary procedures, including for dealing with misconduct, clause 151.7 of the Agreement operates to the exclusion of those procedures. It says:

“Notwithstanding the provisions of this Section, the head of service may summarily terminate the employment of an employee without notice for serious misconduct as defined within the Fair Work Regulations.”

The Health Records Act and the Privacy Principles

  1. Section 5 of the Health Records Act gives legal force to the Privacy Principles (Schedule 1 to the Health Records Act), including Principles 4.1 and 10. Relevant extracts from the Health Records Act, as well as Privacy Principles 4.1 and 10, are set out in the Annexure to this decision. In summary:

1.   Section 6 of the Health Records Act requires compliance with the Privacy Principles, including in relation to personal information and personal health information.

2.   Privacy Principle 1 provides that where personal health information or health records are required to be collected by someone as part of their employment for the management, funding or quality of a health service received by the consumer, the person is allowed access to the information only for those purposes, unless these principles otherwise provide.

3.   Privacy Principle 4.1 requires record keepers to ensure that health records are protected by reasonable security safeguards against unauthorised access, use, modification or disclosure. If giving a health record to another entity, they must do everything reasonably within their power to prevent its unauthorised use or disclosure.

4.   Privacy Principle 10 prohibits record keepers from disclosing personal health information to third parties, except where a relevant exception applies. In this case, the potential exception of relevance is where the record keeper believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent risk to the life or physical, mental or emotional health of the consumer or someone else.

  1. Ms Sandland submits that there was another relevant exception, which applied if she believed on reasonable grounds that the recipient of the health information would not disclose the personal health information. This exception only applies where the disclosure is necessary for the purpose of research or the compilation or analysis of statistics, in the public interest. There is no evidence that the sharing of information with the ANMF about which this matter is concerned was for such a purpose.

  1. A “health record” is any record, or any part of a record that either: is held by a health service provider and containing personal information; or contains personal health information. “Personal information” and “personal health information” are defined terms for the purposes of the Health Records Act.

  1. Section 4B of the Health Records Act contains a note to the effect that Chapter 2 of the Criminal Code applies to offences against the Health Records Act. Part 5 of the Health Records Act deals with offences in four categories: unlawfully requiring consent by threats, intimidation or false misrepresentation; destruction of records to evade or frustrate the operation of the Health Records Act; unlawfully requesting or obtaining access to health records; and unlawfully penalising people to deter them from accessing their health records. A breach of the Privacy Principles is not of itself an offence, although some of the offences prescribed in Part 5 may also involve a breach of the Privacy Principles. In other words, not all breaches of the Privacy Principles are “considered a criminal act” under the Health Records Act and the Criminal Code.

  1. Section 30 of the Health Records Act requires an unqualified record keeper who lacks the skill or training necessary to perform a function under the Act to obtain and act on advice from someone with the necessary skill and training.

The PSM Act

  1. Section 9 of the PSM Act deals with public sector conduct. Relevant extracts from the PSM Act are also set out in the Annexure to this decision. In short, a public servant is required to act lawfully, ethically and in the public interest, including refraining from disclosing confidential information gained through their job without approval. Under section 153(1) of the Crimes Act 1900 (ACT) (the Crimes Act), it is an offence for a public servant to disclose information that it is their duty not to disclose.

The Standards

  1. The Nursing and Midwifery Board of Australia publishes the Standards. As the Standards explain, they contain “the core practice standards that provide the framework for assessing enrolled nurse (EN) practice”. They “communicate to the general public the standards that can be expected from ENs and can be used in a number of ways…” including “by the Nursing and Midwifery Board of Australia (NMBA) and relevant tribunals or courts to assess professional conduct or matters relating to notifications.”

  1. Standards 1 and 2 of the Standards are set out in the Annexure to this decision. They include expectations that an Enrolled Nurse will:

  1. demonstrate knowledge and understanding of relevant laws,

  2. fulfil their practice duty of care, and

  3. ensure privacy, dignity and confidentiality when providing care.

The CRM Policy

  1. The CRM Policy and its related procedures extend to 65 pages. Its purpose “is to outline the required processes for all CHS staff to ensure consistent, effective, and appropriate clinical record and health information management across CHS”. Among other things, the CRM Policy:

  1. makes clear that “all clinical records are confidential”,

  2. states that health records “should only be accessed, used, and disclosed for the purpose for which the information was collected”,

  3. declares the routine practice of monitoring record access and conducting proactive or reactive audits,

  4. specifies that records should not be stored in unsecured network drives, personal files, desktops, or stand-alone specialised IT systems,

  5. explains the circumstances in which the sharing of personal health information is permitted, to:

    a.members of the treating team (considered to include staff employed by CHS),

    b.health professionals providing follow-up care,

    c.community support services (with the patient’s consent), and

    d.the consumer (patient), if they have consented to email communication – with “extreme care… taken when selecting or entering email addresses”.

  6. explains the circumstances in which sharing of personal health information is not permitted:

    a.where consent for release has been refused or withdrawn by the patient,

    b.if the sharing of information relates to a report under the Children and Young People Act 2008 (ACT) and/or if it would cause significant risk to the health or life of a patient of another person,

    c.if the information is being captured or stored on a personal digital device, unless prior approval has been granted by CHS in strict compliance with related policies, and

    d.by capturing screen dumps of Clinical Information Services or using mobile phones or other portable devices to take digital photos of clinical record documents.

Was the dismissal harsh, unjust, or unreasonable?

  1. Whether a dismissal was harsh, unjust, or unreasonable depends on an assessment of all the relevant facts and circumstances, including those set out in section 387 of the Act.

  1. There is no dispute that the emails relied upon by CHS in relation to the dismissal were sent by Ms Sandland as alleged. What is in dispute, however, is the nature of her conduct in sending the emails, including whether it was in breach of Ms Sandland’s various obligations and duties to CHS and/or its patients, and/or in breach of the law. There are also issues of context, procedural fairness; whether dismissal was a proportionate response to her conduct; the personal history and circumstances of Ms Sandland and fairness as between Ms Sandland and other CHS employees.

Was there a valid reason for the dismissal related to Ms Sandland’s capacity or conduct, including its effect on the safety and welfare of other employees?

  1. The reason given for Ms Sandland’s dismissal was that she engaged in serious misconduct by improperly disclosing personal health information without authorisation on 8 separate occasions. CHS also relies on separate disclosures identified after the dismissal when it undertook a further review of Ms Sandland’s emails.

Did the Health Records Act apply to the disclosures?

  1. The Health Records Act operates in relation to personal health information “wherever it is held in the ACT”.[2] It imposes obligations in relation to the access, use and protection of health records on various entities including a person (an individual for the purposes of Part 5 (Offences) but that otherwise includes a corporation[3]), a health service provider, the health services commissioner, a collector, an entity (which includes an unincorporated body and a person, including a person occupying a position or exercising a function of the entity, whether under a delegation, subdelegation or otherwise[4]), and a record keeper (a broader category of entity that includes a ‘health service provider’ and ‘the health services commissioner’).

  1. Record keeper is defined as “an entity that has possession or control of a health record.” A reference to an “entity” in ACT legislation includes a reference to a person exercising a function of the entity.[5] Under the PSM Act, officers employed by the ACT Government exercise the functions of their office on behalf of the ACT Government. Ms Sandland was an officer appointed to CHS and met the description of an “entity” for the purposes of the Health Records Act.

  1. Did she have possession or control of health records? The words “possession or control” are not defined and in the Health Records Act, have no fixed legal meaning. They are likely not intended to be read as limited to ownership or exclusive possession or control[6] but also to include the holding of health records, whether physically or online. This is because the objects of the Health Records Act are to provide for privacy rights in relation to personal health information; for the integrity of records containing that information; for consumers to access their information and receive explanations in relation to it; and to encourage agreement between those concerned about the exercise of rights, and performance of obligations, under the Health Records Act. These rights would be undermined if the obligations in the Health Records Act only applied to the owners of health records and those who were in control of them. A broader approach to the meaning of the terms “possession” and “control” sits more easily with a framework that has at its heart the rights of consumers to their health information and to safe custody of that information by all of those who hold it.

  1. The Health Records Act recognises that the health records of a person may be held by various entities, and for different purposes. Health records are, by their nature, records that are personal to the individual concerned. Yet they almost always come into existence at the hands of another because their purpose is to assist in the provision of care. Usually, too, they will be owned by someone other than the individual.[7]

  1. The example of a medical certificate is illustrative. A doctor may issue the certificate to a patient and keep a copy in the patient’s file. The doctor is a record keeper in relation to the certificate because they have both possession and control of the record. Upon issue of the certificate, the patient also takes possession of the record. They become, at least for a time, a record keeper (as well as a consumer), although their status as a record keeper may have no practical operation because they already have access to the health record in question, and the right to share it (or not) as they choose. If the patient then provides the certificate to their employer, the employer becomes a record keeper because it now has possession of the certificate and must keep it for 7 years.[8] The question of who owns the certificate is, in such cases, immaterial to whether each entity is a record keeper under the Health Records Act.

  1. To be a record keeper, a person must have sufficient power or authority over a health record such that they have the capacity to comply with the Health Records Act including the Privacy Principles.[9] Plainly, CHS is a record-keeper in relation to the health records of patients at Dhulwa. It has general responsibility for the provision of care to its patients, as well as for the activities of CHS employees and for records management in compliance with the Privacy Principles.

  1. The definition of record keeper does not exclude from its ambit the officers and employees of a record keeper, and there is no reason to read it down in this way. In my view, Ms Sandland was a record keeper too. The scope of her responsibility under the Health Records Act may have been narrower than that of CHS, but Ms Sandland regularly held, and in this way had possession of, health records for use in connection with her employment. This included records held in an email account established by CHS for her exclusive use (subject to its Acceptable Use of ICT Resources policy).

  1. Ms Sandland had the capacity to take reasonable steps to keep the records entrusted to her safe, and to prevent their unauthorised access, use or disclosure by third parties, including by adopting the reasonable security safeguards of following relevant CHS policies and not sharing the personal information of patients with anyone outside of CHS without authorisation or lawful excuse.

  1. I find that the Health Records Act applied to the disclosures made by Ms Sandland.

Did the disclosures comply with s.6(1) of the Health Records Act?

The first disclosure - 18 April 2022 at 8.44am

  1. It is alleged that on 18 April 2022, Ms Sandland provided “the ANMF with personal health information of a health consumer without authorisation”. This involved an email sent by Ms Sandland at 8.44am on Monday 18 April 2022, forwarding an internal email containing a patient’s Interim Management Plan, including the patient’s first name, ward location and gender, to Mr Oram, Mr Thomas Mason of the ANMF, and to the generic email address [email protected].

  1. Whether the disclosure was in breach of the Health Records Act depends in part on whether the information shared with the ANMF was “personal information”. This is defined in the Health Records Act as “any information, recorded or otherwise, about the consumer where the identity of the consumer is apparent, whether the information is fact or opinion; or true or false.” Certainly, the disclosure of 18 April 2022 contained information about a consumer who was a patient at Dhulwa. But was their identity apparent from the information provided?

  1. The term “apparent” is not defined in the Health Records Act”. Adopting its ordinary meaning, the identity of a person will be apparent for the purposes of the Health Records Act if it is capable of being clearly perceived or understood; if it is plain or clear from the information.[10] Relevantly, however, Privacy Principle 10 describes “identifiable information” as information that identifies a consumer, or from which their identity “can be reasonably worked out”. This suggests that the question of whether a person’s identity is apparent from information should also be considered from the perspective of whether their identity can be reasonably worked out from the information.[11] In a similar way to other legislative schemes that rely on the “reasonably identifiable” formulation[12], the assessment of whether a person’s identity is apparent from the information is an objective one, having regard to the context in which the information is shared.

  1. The term “identity” is also not defined in the Health Records Act. Given its ordinary meaning, it includes “the condition, character, or distinguishing features of person or things”; “official information about” oneself;[13] “a person’s name and other facts about who they are”.[14] Partial or incomplete information about a person can be sufficient to identify them in a particular context.

  1. The information disclosed by Ms Sandland on 18 April 2022 contained the patient’s first name, details of their treating team, their institutional location and part of their health record. The disclosure was not isolated: there had been previous communications between Ms Sandland and the ANMF about the patient to which the disclosure referred. This is evident from Ms Sandland’s covering email which says, “this is the patient that…” and goes on to describe events particular to the patient. At the time, Mr Oram was an active participant in discussions about patients at Dhulwa, including with Ms Sandland. The disclosure was made in the context of a small forensic mental health facility that, although it can house up to 17 patients, is not always at capacity, and a secure ward that appears to have housed only 1 or 2 persons at a time. As Counsel for Ms Sandland put it at the hearing, in discussions between employees at Dhulwa and the ANMF about the admission of a new patient in this context, “it’s going to be reasonably obvious who” the discussion is about.

  1. In this context, the email of 18 April 2022 contained information from which the identity of one of the patients referred to in the email could reasonably have been worked out. I find that the identity of the patient was apparent to the ANMF from the email. The information shared with the ANMF was personal information for the purposes of the Health Records Act and, because it contained information collected by CHS in relation to the health and illness of the patient, was also personal health information. It was a health record.

  1. Ms Sandland was required by Privacy Principle 4.1 to ensure the protection of this information by implementing reasonable security safeguards against unauthorised access or disclosure. She did the opposite by sending the record to three non-CHS email accounts. There is no evidence that the disclosure was authorised. The weight of evidence is to the contrary. I find that the disclosure was not authorised by CHS.

  1. Ms Sandland was also required by Privacy Principle 10 not to disclose the information to the ANMF, unless (relevantly) she believed on reasonable grounds that the disclosure was necessary to prevent or lessen a serious and imminent risk to the life or physical, mental or emotional health of the consumer or someone else.

  1. Ms Sandland explains the context in which the disclosure occurred. There had been serious incidents involving patients at Dhulwa on the previous week, on 11 and 15 April 2022. Ms Sandland says this caused her to issue a stop work direction under s.85 of the Work Health and Safety Act 2011 (Cth) (the WHS Act) and prompted WorkSafe ACT to issue 13 provisional improvement notices.

  1. The week commencing 11 April 2022 was certainly a challenging one for the staff of Dhulwa. On 11 April 2022, several staff were injured. WorkSafe ACT issued 2 notices about occupational violence and CHS introduced 2 new staff safety communication mechanisms. A further serious injury was sustained by a member of the security staff on 15 April 2022.

  1. Despite what Ms Sandland describes as a “dreadful” approach to the management of safety at Dhulwa, and without seeking to downplay the serious nature of the incidents in April 2022, this was not a typical week. According to the Inquiry into the Legislative, Workplace Governance and Clinical Frameworks of Dhulwa Secure Mental Health Unit (the Deegan Review), “incidents of violence that have resulted in staff requiring time off work have, on average, numbered about two per year since 2019”.

  1. Ms Sandland made the disclosure to the ANMF and “Workplace Organising Committee” members Arun Babu and Duvi Gulane, for their information and use in connection with work being done to address the safety of staff at Dhulwa. For at least a period of some months, the ANMF and delegates had been compiling data on aggression and violence at Dhulwa. Their work fed into two reviews commenced into the Dhulwa facility after April 2022 – one at the request of CHS in May 2022 following the incidents on 11 April 2022 (the April Review), and the other (the Deegan Review) announced on 2 May 2022 and finalised by Report on 11 November 2022 after an extensive process including more than 52 stakeholder meetings, 1 roundtable, receipt of 68 submissions and a comprehensive documentation review.

  1. Ms Sandland says she sent the email as part of a handover she was providing about what had been occurring. I do not accept that the email was sent as part of any handover. Her covering email on 18 April 2022 is not in the nature of a handover, and the ANMF had no responsibility for the direct management of the patients concerned. It did not need all the information shared by Ms Sandland to carry out its activities, although the information was useful. Approximately ten minutes earlier, Ms Sandland had responded to an internal email about a “Sunday safety update…”. The email from Ms Sonny Ward, Director of Nursing, prompted a response from Ms Sandland about security doors and signed off by “Carol, HSR DMHU”. In my view, the email was sent by Ms Sandland in her capacity as HSR for the purpose of sharing information about staff safety at Dhulwa with the ANMF. It was sent to the ANMF for use as it saw fit.

  1. I consider that Ms Sandland had reasonable grounds for believing that the disclosure would assist with efforts to improve safety for staff at Dhulwa. However, I do not find the disclosure to have been necessary to prevent or lessen a serious and imminent risk, either to staff or patients. Firstly, the disclosure of personal information was not necessary. Information about the same safety risks could have easily been shared without disclosing the patient’s name or an extract from their health record - for example, by writing a summary of her concerns about aspects of the management plan said to pose safety risks (but without identifying information) instead of simply forwarding part of the patient’s clinical file to an external third party. Secondly, I accept that the purpose of the email was to prevent or lessen a serious risk to staff, but I do not find the risk to have been imminent in the circumstances. A patient-specific management plan had been put in place, alongside new responsive steps in relation to the events of 11 April 2022, including as required by WorkSafe ACT.

  1. Ms Sandland says she did not intentionally disclose the name of the patient to the ANMF in her email of 18 April 2022. It is, however, no answer to an alleged breach of the Privacy Principles to say that the conduct in question involved mistake, although it might be a matter relevant to mitigation. Further, I do not accept that this conduct involved mistake. Her covering email refers to another patient as “Patient 1”, indicating some effort on her part to avoid identifying a patient by name. Unfortunately, she did not do the same for both patients referred to in the email. I do not accept that this omission was a mistake. The name of the patient appeared both in the subject line and body of the email. The content of the forwarded email was a clinical record. Ms Sandland was alive to the need to protect patient confidentiality and went to the trouble of de‑identifying a patient in her covering email. She did not alter the information in the email she was forwarding on. It seems likely that Ms Sandland did not consider her obligation to protect patient confidentiality extended to the content of the forwarded emails of others, because this was not an isolated example of the conduct.

  1. I also have difficulty reconciling Ms Sandland’s actions on 18 April 2022 with her evidence that she thought it was legal to breach patient confidentiality in union communications, although it is easier to accept that she felt safe doing so. As this example demonstrates, when it occurred to her, Ms Sandland did try to protect patient confidentiality in her communications with the ANMF. Ms Sandland knew that she was not authorised to share the personal information of patients with the ANMF without first obtaining relevant consent or approval.

  1. The disclosure did not comply with the Health Records Act.

The second disclosure - 6 November 2022 at 8.56am

  1. It is alleged that on 6 November 2022, Ms Sandland provided “the ANMF with personal health information of a health consumer without authorisation” (being their forensic history and a copy of their health record including a range of identifying information).

  1. At 8.20am on Sunday 6 November 2022, Ms Sandland scanned a copy of what is known as a “DMHU Treatment, Placement, Restrictions, Implementation, Monitoring (TPRIM) Form to her work email address. When scanning the document, Ms Sandland redacted identifying details such as the patient’s name and signature by placing what appears to be a blank piece of paper over them. Details remaining included the patient’s age and gender, ward location and room, history of mental illness and medication prescriptions. The emailed scan sent to Ms Sandland’s email came with the following generic message from CHS:

“This email, and any attachments, may be confidential and also privileged. If you are not the intended recipient, please notify the sender and delete all copies of this transmission along with any attachments immediately. You should not copy or use it for any purpose, nor disclose its contents to any other person.”

  1. It seems that Ms Sandland did not heed the message, because approximately half an hour later, at 8.56am on 6 November 2022, Ms Sandland forwarded the scanned TPRIM form to Mr Oram. The covering email explains that the form is “for our newly admitted Patient”, suggesting a previous discussion with Mr Oram about the patient and that he knew both of the existence of the patient and that they were new to the facility.

  1. On its face, the purpose of sending the email was to complain of the inexperience and unprofessionalism of the Clinical Development Nurse (CDN) and Clinical Nurse Consultant (CNC) who had worked at Dhulwa two days before. In her email, Ms Sandland alleged that both nurses had previously worked with, and were being protected or treated favourably by, Ms Kleinig, at the expense of two former employees. I cannot be sure, but it may be that one of these was a nurse that had recently been dismissed, to which the April Review referred when commenting about a likely connection between the dismissal and negativity between the nursing team and management.

  1. Ms Sandland says that she shared the record with Mr Oram because of her concerns for the safety of employees tasked with admitting the patient with only very little information. This was a legitimate concern, noting the scant details contained in the TPRIM form compared with the forensic history of the patient. The form itself encourages the provision of a level of detail not met by the answers given in this case. While the record shared with Mr Oram did not disclose the name of the patient, it did disclose their age, forensic history, a clinical record personal to them, their medication, specific ward location and approximate date of admission.

  1. In this context, the email of 6 November 2022 contained information from which the identity of a patient could reasonably be worked out. I find that the identity of the patient was apparent to the ANMF from the email. The information shared with the ANMF was personal information for the purposes of the Health Records Act and also personal health information (information collected by CHS in relation to the health and illness of the patient). It was a health record.

  1. As with the first, this second disclosure did not comply with Privacy Principle 4.1. The only step taken by Ms Sandland to safeguard against the unauthorised access or disclosure of the patient’s information was the redaction of their name and contact details from the top of the TPRIM form. This was not sufficient to protect against the disclosure of the patient’s personal information given the contents of her covering email containing an extract from another clinical record describing the patient’s forensic history in some detail, and other unredacted identifying features in the TPRIM form. The disclosure was not authorised by CHS. On the contrary, it was expressly prohibited by CHS policies, a matter to which I will return.

  1. Ms Sandland was also required by Privacy Principle 10 not to disclose the information to Mr Oram unless a relevant exception applied. I do not find that Ms Sandland reasonably believed the disclosure necessary to prevent or lessen a serious and imminent risk to the life or health of a person. The purpose of the disclosure was to highlight the professional shortcomings of her colleagues. It was not necessary, to make the point, that the personal information of patients be disclosed.

  1. The disclosure of 6 November 2022 did not comply with the Health Records Act.

The third disclosure - 8 November 2022 at 11.39am

  1. It is alleged that on 8 November 2022, Ms Sandland provided the ANMF with personal health information of a health consumer without authorisation” (involving an entry from a health record on an internal record-keeping system detailing a decision relating to a belt).

  1. At 11.39am on Tuesday 8 November 2022, Ms Sandland sent an email to Mr Oram with an extract of an entry made the same day in CHS’s internal record keeping system, MAJICER. The entry noted a discussion between the patient’s treating team 5 days earlier, on 3 November 2022, where a decision was made with which Ms Sandland did not agree. The email summarised the patient’s forensic history to Mr Oram. The name of the patient was redacted, but it is apparent from the forensic history that this was the same patient to whom the earlier forwarded TPRIM form of 6 November 2022 referred. Accordingly, I find that it was personal information and a health record for the purposes of the Health Records Act.

  1. The disclosure was inconsistent with Privacy Principle 4.1, because no reasonable security safeguards were put in place by Ms Sandland to protect against the unauthorised access or disclosure of the information. On the contrary, Ms Sandland disclosed the information to Mr Oram in circumstances where she was not authorised to do so.

  1. The disclosure was also inconsistent with Privacy Principle 10, which required Ms Sandland not to disclose the information to Mr Oram, unless a relevant exception applied. In my view, there were reasonable grounds for Ms Sandland to have believed that this disclosure was necessary to prevent or lessen a serious and imminent risk to the life or health of a person. The risk identified was a serious one, about access to weapons on the ward, and the risk was imminent in that the patient had only recently been admitted and now had access to a potential weapon. A select group of nurses were required to interact with the patient to provide daily care and undertake assessments. Although approval for access to the potential weapon had been given 5 days before the disclosure, the record shared with Mr Oram was made on the same day as the disclosure.

  1. However, I am not satisfied that Ms Sandland held the relevant belief at the time, such that an exception to Privacy Principle 10 applied. Ms Sandland says she sent the email to Mr Oram on 8 November 2022 because she was concerned about patient safety. That may have been part of her concern, but it was more about the competency of her peers in relation to the safety of staff. Ms Sandland was already dealing with concerns about the lack of information given to staff about patients. This prompted subsequent discussion among ANMF representatives about the need for new or revised policies, including a “restricted object approval process”.[15]

  1. Her primary purpose in sending the email was to again demonstrate poor and uninformed decision‑making by the patient’s treating team (both management and doctor) and to update Mr Oram about progress in dealing with similar concerns of two days earlier. She ended the email with an expression of disdain rather than any urgent call for action, writing: “LOL Really are you kidding… IN UNION”.

  1. The disclosure of 8 November 2022 did not comply with the Health Records Act.

The fourth disclosure - 19 January 2023 at 2.16pm

  1. It is alleged that on 19 January 2023, Ms Sandland provided the ANMF with personal health information of a health consumer without authorisation” (being a direct copy of a progress note about a dog visit from the patient’s medical health record).

  1. On 9 January 2023, Mr Oram had written to Ms Katie McKenzie, Executive Director, about the need for consultation on new or updated policies, including the “CHS Guideline Animal Visits”. In addition to seeking consultation on policies, it appears that Mr Oram was looking for evidence to support a dispute about consultation with CHS. In response to a separate forwarded email from Ms Sandland on 12 January 2023 about whether security would be returned to the acute ward, he wrote:

“Thanks so much Carol

Getting this from Peta is very helpful.
We can now look at potentially breaching them on consultation.”

to which Ms Sandland replied:

“FANTASTIC”.

  1. On 18 January 2023, a patient’s dog was brought into the facility. This upset the nurses, some of whom were afraid of dogs, or had allergies, or felt there had been no consultation about having a dog on the acute ward. Someone, who I infer was Ms Sandland due to subsequent events, contacted Mr Oram and told him about it. Mr Oram wrote to Ms Kleinig, copying in Ms Ward and Ms Sandland. He asked for information about the dog and the steps taken in relation to its entry into the facility. He alleged that CHS had not followed its policy on Animal Visits. He described some of what he knew about the patient who owned the dog, including details of their transfer to the ward and whether they were entitled to have a dog visit.

  1. At 1.16pm on Thursday 19 January 2023, Ms Sandland forwarded Mr Oram an email chain between Ms Kleinig and members of the treating team about the patient who was allowed to see their dog. The email contained the name of the patient, information about the dog visit / therapeutic intervention, and discussion at the safety huddle that morning.

  1. At 2.05pm on 19 January 2023, Ms Sandland scanned a copy of the staff safety huddle of the previous day. She forwarded the scan to Mr Oram with a covering note pointing out that there was no mention of the dog in the huddle record, but that the patient transferring from one ward to another was mentioned. CHS says that patient names were partially visible in the huddle record provided to Mr Oram and there is no evidence to the contrary.

  1. Approximately 10 minutes later, at 2.16pm on 19 January 2023, Ms Sandland sent an email to Mr Oram with a copy of a Social Workers’ note about the dog visit from the day before. The subject of the email was “Please see Social Workers note from yesterday 18/1/23”. The name of the patient referred to in the note was redacted but had been disclosed an hour earlier in a separate email. Unredacted was the remainder of the clinical record shared with Mr Oram, including the name of the patient’s dog, its location at an identified boarding kennel, and the gender of the patient.

  1. The information shared with Mr Oram was personal information about a patient at Dhulwa. From the information, the patient was able to be identified by first name, initials, gender and ward location as well as by reference to one or more members of the treating team. The additional information about their dog and its location was information from which the identity of the patient could reasonably have been worked out. I find that the identity of the patient was apparent to the ANMF from the email. The information shared with the ANMF was personal information for the purposes of the Health Records Act and as it contained information collected by CHS in relation to the health and illness of the patient, it was also personal health information and a health record for the purposes of the Health Records Act.

  1. Ms Sandland was required by Privacy Principle 4.1 to ensure the protection of this information by implementing reasonable security safeguards against unauthorised access or disclosure. Rather than taking such steps, she disclosed the information to Mr Oram without authorisation. In doing so, she did not comply with Privacy Principle 4.1.

  1. Privacy Principle 10 required Ms Sandland not to disclose the information to Mr Oram unless a relevant exception applied. Ms Sandland says she sent the 2.16pm email to Mr Oram because there had recently been issues with animals coming on to the ward, including Ms Kleinig’s dog who she says was left for staff to look after, and she was concerned about staff safety and CHS not following policy. Ms Sandland does not recall staff being told on 18 January 2023 that the dog would be visiting the facility that day. Her recollection is at odds with records made at the time by Ms Kleinig and by two other nurses, who recalled Ms Kleinig advising (but not consulting) about the dog coming to Dhulwa that afternoon.

  1. Ms Sandland also says she sent the email to protect herself because of different accounts about what had been said at the huddle from staff and Ms Kleinig. She says a huddle record that did not mention the dog being brought in was later changed after her Riskman report. This change made Ms Sandland very angry. She felt she was being set up. If there was such a change however, it can only have been made after sending the 2.16pm email. It did not form part of Ms Sandland’s reasons for sending the email to the ANMF at 2.16pm on 19 January 2023.

  1. At 2.17pm on 19 January 2023, Ms Sandland forwarded another email to Mr Oram and others who it appears were involved in the work of the ANMF. The email set out concerns about the dog visit of the day before, and excerpts of the CHS Policy on Animal Visits alleged to have been breached. The email referred to the patient concerned by their initials.

  1. At 9.40am on 20 January 2023, Ms Kleinig replied to Mr Oram’s email of 18 January 2023. She told him that the information he had received was not accurate, that there had been a proper clinical process to facilitate the dog visit, and that the Animal Visits policy was a guideline rather than a policy or procedure. She noted that the matter had been discussed in the safety huddle of 18 January 2023 and that employees had not voiced any concerns. She assured him that the guideline had been considered, and no staff were placed at risk.

  1. Mr Oram replied to Ms Kleinig approximately two hours later, expressing concern about the lack of clarity in relation to animal visits at Dhulwa. It is not clear what happened after that, other than that there was a commitment to further communication.

  1. As with her earlier emails, the concerns raised by Ms Sandland about the dog visit were legitimate. It was reasonable for staff at Dhulwa to expect the Animal Visits policy or guideline to be followed. It was appropriate for Ms Sandland to bring the matter to the attention of both CHS and the ANMF so that the concerns of staff could be addressed. But in bringing it to the attention of the ANMF, she did not believe (and could not have believed) on reasonable grounds that the disclosure of the patient’s personal health information was necessary to prevent or lessen a serious and imminent risk to life or health. The identified risk was not both serious and imminent - it was in the past, and the potential future. Nothing could have been done to prevent or lessen the risk to any person of the dog visit the day before. The disclosure of the patient’s personal information was also not necessary, because what were legitimate concerns held by Ms Sandland, could readily have been brought to the attention of the ANMF in a way that did not make these disclosures.

  1. The disclosure did not comply with the Health Records Act.

The fifth disclosure - 6 February 2023 at 1.43pm

  1. It is alleged that on 6 February 2023, Ms Sandland provided the ANMF with personal health information of a health consumer without authorisation” (being detailed notes pertaining to a planned admission, containing a range of identifying information about the patient).

  1. On 2 February 2023, there was an admission planning meeting for a patient with recent violent history. Ms Sandland was sent a copy of the detailed admission planning notes as a member of the nursing staff. She responded to the email from Ms Kleinig by asking if security would be placed back in the nurse’s station on the ward. Ms Kleinig responded on 6 February 2023 in a way that Ms Sandland found unsatisfactory. At 1.43pm on 6 February 2023, Ms Sandland forwarded the email chain including the patient’s detailed admission notes to Mr Oram in full. There is no evidence that she was authorised to disclose this information outside of CHS. The information included the patient’s full name, age, medical and forensic history, medications and management plan. It was a health record for the purposes of the Health Records Act.

  1. The sending of this information to Mr Oram was inconsistent with Privacy Principle 4.1, as it did not ensure the protection of the information through the implementation of reasonable security safeguards against unauthorised access or disclosure. It was also in breach of Privacy Principle 10, which required Ms Sandland not to disclose the information to Mr Oram unless a relevant exception applied.

  1. Ms Sandland says she sent the email because she was concerned about the safety of nurses and wanted the ANMF to raise the matter with management. She says it was a mistake to send the patient’s name; that this was not her usual practice; and that she was sorry she did so. I accept Ms Sandland’s evidence as to the reason she sent the email, but I do not accept that it was her usual practice not to disclose patient names to the ANMF. The submission is not established on the evidence of her various disclosures to the ANMF (including to Mr Oram). I also do not accept that the failure to redact the patient’s name in this instance was a mistake. The disclosure is too obvious to have been overlooked.

  1. I do not find that in disclosing this information to the ANMF, Ms Sandland believed, on reasonable grounds, that disclosure of the information was necessary to prevent or lessen a serious and imminent risk to life or health. Admission of the patient was scheduled for two weeks later. The admission was likely to involve serious risk to staff, certainly. But the risks were not yet imminent, and the concerns of Ms Sandland were capable of being communicated to the ANMF in a way that did not lay the personal health information of the patient bare.

  1. The disclosure did not comply with the Health Records Act.

The sixth, seventh and eighth disclosures - 26 December 2020 and 23, 25-26 July 2022

  1. It is alleged that on each of these dates, Ms Sandland sent “the personal health information of multiple health consumers to her personal email without authorisation.”

  • The emails of 26 December 2020 and 25 July 2022

  1. At 7.49am on 26 December 2020, Ms Sandland forwarded an internal CHS email to her personal email account containing a detailed doctor’s review and plan for a patient at Dhulwa. The email included the first name and second initial of the patient, their medical and forensic history, treatment details, treating team, and security arrangements - including dates during which they were a patient at the facility. The forwarded information is so detailed in relation to the patient that their identity is readily apparent. It is personal information and a health record for the purposes of the Health Records Act.

  1. The reason Ms Sandland sent the email to her personal email account in December 2020 remains unexplained. I do not accept that it was so that Ms Sandland could undertake work that CHS required her to perform at home, or so that Ms Sandland could respond to a request from WorkSafe ACT. The former appears to be no more than speculation about an action more than 2 years ago. I do not accept Ms Sandland’s general evidence that it was common for nurses to take confidential patient information home or that they were authorised to do so. CHS expressly denies these assertions and CHS policies speak against it. It also seems inherently unlikely in the context of the undisputed and fundamental duty that nurses have to ensure the dignity of patients, including by protecting their privacy. As to the request from WorkSafe ACT, it came approximately 18 months after Ms Sandland sent the email to herself. It cannot have been the reason for the original communication.

  1. The sending of this information to her personal email accounts was inconsistent with Privacy Principle 4.1, as it did not ensure the protection of health records through the implementation of reasonable security safeguards against unauthorised access or disclosure (the obvious safeguard being to store it only in her CHS email account and not outside of CHS). The email of 26 December 2020 remained in Ms Sandland’s private email account, on a third‑party server over which CHS had no control, and about which CHS had no knowledge, for at least 18 months. It was then sent back to Ms Sandland’s work email on 25 July 2022 at 11.48am.

  1. At 11.52am on 25 July 2022, Ms Sandland forwarded further internal CHS emails from her personal email account to her work email account. The email chain has “Property damage” in the subject line and shows these emails initially being sent from Ms Sandland’s work email to the ANMF and copied to her personal email on 8 November 2020. The apparent purpose of the email was to share information with the ANMF (and to keep her own record of the information) about an issue with a broken door. The emails contained information about patients at Dhulwa in 2020, including notes from the treating doctor at the time.

  1. The email sent by Ms Sandland at 11.48am on 25 July 2022 was also inconsistent with Privacy Principle 10. Ms Sandland was required not to disclose the information unless she believed on reasonable grounds that the disclosure was necessary to prevent or lessen a serious and imminent risk to the life or physical, mental or emotional health of the consumer or someone else. I cannot see how this exception could have applied to an email Ms Sandland sent to herself in December 2020 for reasons unexplained.

  1. Ms Sandland says she thought the emails were relevant to WorkSafe looking into things that had happened, but there is no evidence that she sent the emails (or the information it contained) either to WorkSafe or anyone else. The request for information from WorkSafe had been made in May 2022, more than two months earlier. Except for Ms Sandland’s assertion, there is nothing in the materials connecting Ms Sandland’s activities in July 2022 with WorkSafe (unlike the evidence that exists for May 2022 and October 2022). In an email on 16 May 2022, WorkSafe asked Ms Sandland to send it copies of emails and documents they had spoken about. Ms Sandland responded on 18 May 2022 to say that she would send them from home. It is reasonable to expect that if there was further correspondence with WorkSafe in July 2022 (for example, a copy of an email sent to WorkSafe), this could have been produced by Ms Sandland in answer to Allegation 6. It follows that I do not accept Ms Sandland’s explanation that she sent this information to her personal email accounts in response to a request from WorkSafe.

  1. Ms Sandland says she was the only one who had access to the information stored in her private email account. I doubt that to be a correct understanding of the position. Third‑party email servers, such as those in which these emails were stored, are owned and controlled by technology companies that have the ability to access data stored on their servers for a range of purposes, including for monitoring user safety and usage. This is so whether they choose to access the information or not.

  • The email of 23 July 2022

  1. On 23 July 2022, Ms Sandland sent multiple emails to her personal email accounts containing personal health information about patients at Dhulwa. This included the email relied upon by CHS in the letter of termination, which was sent by Ms Sandland at 10.58am on 23 July 2022 and forwarded a scanned copy of a Patient Progress record to her two personal email accounts. The Patient Progress record was copied with the patient’s name, date of birth and address redacted. Unredacted were the patient’s home and mobile phone number, their status as a patient of Dhulwa four months earlier, and notes of discussions between doctors about their leave. I am satisfied that the Patient Progress record was personal information for the purposes of the Health Records Act.

  1. For the same reasons as above, the sending of this information to her personal email accounts was inconsistent with Privacy Principle 4.1, as it did not ensure the protection of health records through the implementation of reasonable security safeguards against unauthorised access or disclosure (the obvious safeguard being to not share it outside of CHS systems). It was also inconsistent with Privacy Principle 10, because there is no basis upon which to find that Ms Sandland believed on reasonable grounds that the disclosure was necessary to prevent or lessen a serious and imminent risk to the life or physical, mental or emotional health of the consumer or someone else. Ms Sandland scanned the document to her email at 6 minutes past midnight on 23 July 2022 and then sent it on to her personal emails approximately 11 hours later. As noted above, there is no evidence that Ms Sandland then sent the information on to WorkSafe. The email was about the leave approval process, and Ms Sandland’s concern about the risks arising from the way it was being managed at Dhulwa. There is no basis to find that it was sent for the purposes of mitigating against a serious and imminent risk, or that to do so, it was necessary to share and store the patient’s personal information outside of CHS.

  • The email of 26 July 2022

  1. At 7.33am on 26 July 2022, Ms Sandland forwarded an email to her two personal email accounts containing scanned documents she had generated at work the night before at 8.56pm. The documents included an email chain about appropriate completion of patient leave application forms, a copy of two such applications (with patient name and personal information redacted on the front page) and a therapeutic leave plan. Despite redactions, the identity of the patient is readily apparent from a reading of the documents together.

  1. The email chain refers to the patient by their first, middle and last name initials. It explains that an application for leave has been submitted and that the patient has been approved for leave before, with a different “leave scale”. It describes the window during which the leave is proposed to be taken.

  2. The earlier dated application for leave does not name the patient. The name block has been redacted. Unredacted is the patient’s “consumer type”, custodial status and mental health order status and name of treating psychiatrist. The type of leave approved is category “E”.

  1. The therapeutic leave plan has the patient’s personal information redacted on the front page, but describes the same window for leave referred to in the covering email and is signed by the patient on the back page. Their name is set out in full and corresponds with the initials used to describe the patient in the covering email.

  2. The later dated application for leave identifies the patient in full. While an attempt has been made to redact the name block using black ink, it is ineffective. The patient’s name, date of birth, gender, care plan basis, identifying number and admission date are visible through the ink. The patient’s consumer type, custodial status, mental health order status and name of treating psychiatrist are unredacted and correspond exactly with the information on the earlier dated application for leave. A different type of leave (category “F”) is approved, as the covering email identified. Reference is made on the application to the same window for leave described in the patient’s Therapeutic Leave Plan.

  1. Once again, the sending of this information to her personal email accounts was inconsistent with Privacy Principle 4.1, as it did not ensure the protection of health records through the implementation of reasonable security safeguards against unauthorised access or disclosure and instead shared and stored it outside of CHS. It was also inconsistent with Privacy Principle 10. When she sent this email to herself on 26 July 2022, Ms Sandland did not believe on reasonable grounds that the disclosure was necessary to prevent or lessen a serious and imminent risk to the life or physical, mental or emotional health of the consumer or someone else. She had ongoing and legitimate concerns about the leave approval process, but her actions were not directed at addressing a serious and imminent risk. It was also not necessary in the circumstances for the personal information of Dhulwa patients to be shared and stored in her personal email accounts.

Further emails relied on by CHS after the dismissal

  1. After the dismissal and in response to matters raised by Ms Sandland in the proceeding, CHS revisited the emails obtained through its earlier audit processes. It identified numerous additional emails sent by Ms Sandland involving the unauthorised disclosure of patient information. Some of those are described above as part of an email chain related to the allegations against Ms Sandland. Others are summarised below.

  • Emails of 25 June 2017 at 4.10pm and 8.47pm

  1. These emails forwarded an unredacted scan of the same progress note from a patient file from Ms Sandland’s work to her personal email account. The progress note includes the full patient name, date of birth, gender, patient number (URN) and details of their care including medications, their DASA score and treatment.

  • Email of 27 June 2017 at 7.55am

  1. This email forwarded an internal CHS email to Ms Sandland’s personal email address. It contains the first and last name and treatment details of a patient at Dhulwa. It is personal information for the purposes of the Health Records Act.

  • Email of 13 August 2017 at 7.34am

  1. This email is a forwarded email chain between Ms Sandland and Mr Thando Gogwana, a student and former work colleague who had temporarily worked at Dhulwa as a casual nurse. In the email chain, Ms Sandland offered to send Mr Gogwana monthly “DHMU Security and Facility Meeting” papers including Riskman reports, which she received as the new HSW, for his private use. Mr Gogwana responded, including to say:

“In terms of the info, I truly appreciate you’re breaking all known confidentiality records, placing yourself at risk of confidentiality/ privacy breach and I promise to keep this discussion and the info private.”

  1. He emphasised his interest in “anything in your possession with aggression/violence info.” Ms Sandland forwarded the email chain to her personal email address 3 days after her exchange with Mr Gogwana.

  • Email of 7 October 2018 at 7.35am

  1. This email forwarded an internal email about patient leave from Ms Sandland’s work to her personal email account. The email included the patient’s full name, treatment details and information about leave.

  • Email of 15 October 2018 at 7.33am

  1. This email forwarded a “Daily Consumer List” from Ms Sandland’s work to her personal email address. It includes information about multiple patients including their first name and initial of surname, dates of birth, Aboriginal and Torres Strait Islander identification status, admission status and dates, aspects of care and leave status.

  • Email of 8 June 2020 at 12.13pm

  1. This email forwarded a copy of 11 progress notes about a patient from Ms Sandland’s work to her personal email address. The progress notes detailed information about the patient including their initials, first and last name, gender, medications, behaviour, ward location and admission and treatment information in the previous month.

  • Email of 8 June 2020 at 11.55am

  1. This email forwarded progress notes about another patient from Ms Sandland’s work to her personal email. It contains the patient’s full name, date of birth, multiple progress notes and entries about their medication and care, ward location and behaviours.

  • Email of 8 June 2020 at 11.57am

  1. This email forwarded a patient’s progress note from Ms Sandland’s work to her personal email. It contains the patient’s first name, ward location, and information about an incident involving them and another patient referred to by their initials.

  • Email of 8 June 2020 at 9.15am

  1. This email forwarded progress notes about a patient from Ms Sandland’s work to her personal email. It contains the patient’s full name, ward location, and aspects of the patient’s care and medication.

  1. As these emails demonstrate, Ms Sandland regularly sent personal health information about Dhulwa patients from her work to her personal email accounts. She did so in circumstances where there is no evidence of her first seeking approval for the conduct or seeking to understand whether it was appropriate, or even by perusing relevant CHS policies. The emails weigh against Ms Sandland’s evidence that her usual practice was to redact patient names when sharing information outside of CHS. I am satisfied that sometimes she did try to protect patient privacy by redacting information from her communications. But Ms Sandland did not always do so, and when she did, her efforts were frequently incomplete because they redacted only some, rather than all, of the references to a patient’s name or other identifying information in single documents and/or email chains.

  1. The emails are also examples of occasions when Ms Sandland shared the personal information of patients outside of CHS in contravention of Privacy Principles 4.1 and 10 and the Health Records Act. I find no evidence of any relevant circumstance that might have made her disclosures lawful on the grounds that Ms Sandland was authorised to make the disclosures, or that an exception to the Privacy Principles applied.

Did the disclosures fail to demonstrate “reasonable care and diligence” as required by s.9(1)(d) of the PSM Act?

  1. Ms Sandland submits that if her conduct was not in breach of the Health Records Act, all of the allegations against her must fall away. That is neither how the allegations were put to Ms Sandland, nor consistent with the complex regulatory environment in which she worked, including her various separate and distinct obligations under the Health Records Act, the PSM Act, her contract of employment and her duties as a nursing professional.

  1. I have found that Ms Sandland’s conduct in relation to each of the emails did not comply with the Health Records Act. On that basis alone, she failed to demonstrate reasonable care and diligence as required by section 9(1)(d) of the PSM Act.

  1. It is not however necessary for conduct to be unlawful to be characterised in this way. The repeated and unauthorised disclosure of patient information to the ANMF was inconsistent with Ms Sandland’s obligations as a member of the ACT public service and an employee of CHS bound to follow its lawful and reasonable directions (discussed further below). Through this lens also, Ms Sandland’s conduct represented a failure to demonstrate reasonable care and diligence as required by section 9(1)(d) of the PSM Act.

  1. There were simple steps available to Ms Sandland to protect the dignity of patients for whom she had nursing responsibilities. These included providing summaries of her concerns to the ANMF and others instead of simply forwarding source documents containing personal information to them or taking greater care with the attempted redaction of personal information, or not sharing the information outside of CHS in the first place. She could have consulted with either CHS or the ANMF about how best to share information in a way that treated patient privacy as important. She could have found and read the policies dealing with patient privacy and information handling that were available to her through CHS, to better understand or clarify any confusion about how and when such information could be shared. If she could not find relevant policies, she could have asked for them to be provided to her directly.

  1. I reject the submission to the effect that the sheer number and complexity of CHS policies relieved Ms Sandland of her responsibility in relation to them. In her role as delegate and HSR, Ms Sandland was, and should have been, familiar with the importance of workplace policies. There is evidence that she sought to ensure CHS’s own compliance with its policies when workplace concerns arose. Although I accept it as unlikely that any employee would be across every detail of every organisational policy in a workplace the size of CHS, this must be weighed against the opportunity made available by CHS for all of its employees to access relevant policies as and when required (either by direction or on their own initiative).

  1. In my view, it would not have been difficult for Ms Sandland to discover how to find policies about the sharing of information outside of CHS, and then to locate and read those policies. Each of these steps were reasonably open to Ms Sandland. None would have unreasonably impinged on her ability to perform her roles as nurse, union delegate or HSR, although it might have meant a little more effort in the preparation of communications, or in the keeping of records specific to her role.

  1. For these reasons, Ms Sandland did not meet the expectations of section 9(1) of the PSM Act when acting in connection with her job as an enrolled nurse at Dhulwa. She did not comply with laws applying in the ACT when she disclosed information outside of CHS contrary to the Health Records Act. This same conduct meant that she did not comply with lawful and reasonable directions given to her through CHS policies to keep this information safe. She did not treat all patients at Dhulwa with sensitivity to their right to privacy and dignity when she shared their personal information, and personal health information, outside of CHS without authorisation or consent. And in each of these ways, Ms Sandland did not act with reasonable care and diligence.

Were the disclosures a “criminal act” under the Criminal Code?

  1. The answer to this question is ‘no’, insofar as it relates to breaches of the Health Records Act and the Privacy Principles, because Ms Sandland’s conduct does not fall within one of the categories of offence in Part 5 of the Health Records Act (see paragraph [23] above). A separate issue arises in relation to whether Ms Sandland’s conduct was a crime under the PSM Act because of section 9(2)(d) of the PSM Act, which provides that a public servant must not, without lawful authority, disclose confidential information gained through their job. Under section 153(1) of the Crimes Act 1900 (ACT), it is an offence for a public servant to disclose information that it is their duty not to disclose.

  1. The difficulty is that it was never put to Ms Sandland that her conduct was or may have been an offence under section 153(1) of the Crimes Act 1900 by reason of her duty not to disclose confidential information under the PSM Act. Given the seriousness of the matter, it would not be appropriate to make any findings in this regard. Even if it were, the nature of the Commission’s role as a quasi-judicial tribunal tells against it.

Did Ms Sandland appropriately handle and protect sensitive information under the Standards?

  1. I summarised above, the Standards of primary relevance to this case, developed by the Nursing and Midwifery Board of Australia in its regulatory role that includes establishing requirements for the professional and safe practice of nurses in Australia. To restate those briefly, Standards 1.1 and 2 require nurses to demonstrate knowledge and understanding of relevant laws pertinent to nursing practice, and to practice nursing in a way that ensures the rights, confidentiality, dignity and respect of people were upheld, and to ensure privacy, dignity and confidentiality when providing care.

  1. As an experienced enrolled nurse, and as conceded at the hearing, Ms Sandland knows about the importance of patient confidentiality. This is and should be unexceptional in the context of her role and experience. Despite this knowledge, the conduct described above demonstrates that Ms Sandland did not always practice nursing in a way that ensured the privacy, dignity and confidentiality of patients in her care. In other words, Ms Sandland did not always meet the standards expected of her by the nursing profession.

Did the disclosures undermine the integrity of CHS’s handling of personal health information?

  1. At the time that she was preparing to commence employment with CHS on 18 July 2016, Ms Sandland completed a form titled “New Employee Information Pack”. Under a section headed “My Obligations”, the form averted to her obligations as an ACT public servant under “a range of legislation and policy”, including the “General Obligations of Public Employees” (including in relation to the unauthorised disclosure of information), the “Workplace Privacy Policy”, the “Acceptable Use of ICT Resources Policy” (the ICT Policy) and the relevant enterprise agreement(s). It said:

“As a member of the ACT Public Service, your actions and behaviour are governed by a range of legislation and policy. Your offer of employment with the ACT Public Service is conditional upon reading and understanding the following policy statements. By signing and dating this form you are acknowledging that you have read and understand these policies, conditions and requirements.”

  1. Ms Sandland signed and dated the form, and in doing so she acknowledged:

  1. That she had read and understood her obligations, specifically, the General Obligations of Public Employees, the Workplace Privacy Policy and the ICT Policy (to which links had been provided in the form as is made clear from the words “linked above”),

  2. That she had been given the opportunity to read and understand her entitlements as established under Commonwealth and ACT Law, specifically, the Fair Work Information Statement, Superannuation Standard Choice, and Superannuation Entitlements,

  3. That the information she had provided on the form was true and correct, and that any qualifications or proof of professional registration submitted with her application were genuine, and

  4. that she gave consent for her Information to be released to the AFP, Crimtrac and other Australian jurisdictions for the purposes of a national criminal history record check.

  5. On 10 November 2016, Ms Sandland undertook a “Workplace Induction Pathway”. In a form describing ACT Health’s “organisational context”, she declared that she had “been shown where to find relevant Policies, procedures, Guidelines and Standard Operating Procedures”.

  1. The General Obligations of Public Employees document is not in evidence. To the extent that it recounts the general obligations of ACT public servants under section 9 of the PSM Act, those are dealt with separately in this decision.

  1. The ICT Policy was in place throughout the period of Ms Sandland’s employment and although it had been updated over that time as the amendment history makes plain, its material terms remained over that time. The purpose of the ICT Policy is to instruct ACT Public Service employees and contractors (“staff”) in the acceptable use of information and communications technology (ICT) resources, including about acceptable, prohibited use, information security, security practices and compliance. It is based on the overarching principle that employees must comply with the PSM Act, the Public Sector Management Standards 2006 and the Public Sector Code of Conduct.

  1. Among other things, the ICT Policy clearly states:

  1. Do not use ICT resources to engage in any unlawful conduct, or any conduct that contravenes legislation including but not limited to the … Health Records Act,

  2. Do not disclose confidential information without approval of the delegate,

  3. Do not disclose official information to unauthorised recipients. Authorisation to disclose official information to recipients, including the public, must first be obtained from the data steward for that information,

  4. You must be particularly careful to:

    ·     use personal information only for the purpose for which it has been provided

    ·     take reasonable steps to protect personal information from loss or disclosure, and

    ·     never disclose personal information to unauthorised recipients,

  5. Always follow the applicable ACT and Commonwealth legislation when using personal information related to health, education, legal matters, child protection, corrections and community services,

  6. Do not send sensitive or classified information to external parties unless it is appropriately protected and authorised for use by your directorate or public authority,

  7. Do not send ACT Government information to private email accounts.

    ·Exceptions to this may apply, i.e. where end-of-employment forms need to be retained as personal copies by the separating employee,

  8. ACT Government monitors staff use of Government computers and ICT systems.

  9. In the absence of an explicit waiver, the use of ICT resources for activities that might be inappropriate is forbidden and may lead to disciplinary action being taken against the staff member, and

10.Breach of the ICT Policy may constitute misconduct under the PSM Standards. Disciplinary action can include counselling, formal warning, conditions placed on continuing service, deductions from salary, changes to employment contract or termination of engagement.

  1. The Workplace Privacy Policy is also not in evidence. Before me instead are the CHS Policies on Information Privacy and Consumer Privacy. The former does not apply to the management of personal health information and so can be put to one side. The latter deals with the privacy of personal health information, together with (relevantly) the CRM Policy, the Clinical Records Management Procedure and the Confidentiality, Privacy, and Access to Mental Health, Justice Health and Alcohol and Drug Services Clinical Records Operational Procedure (the Confidentiality, Privacy and Access Procedure).

  1. The Consumer Privacy Policy was issued on 20 October 2021 and sets out what consumers have a right to expect. This includes that their personal health information will be protected in accordance with the Health Records Act and that this information may be shared with another person only if this is important for their healthcare or is in accordance with the Health Records Act.

  1. Expressly stated in the Consumer Privacy Policy is that:

“Health professionals have a duty to maintain the confidentiality of all information that is directly or indirectly gained, created or disclosed to them while providing treatment or care to consumers.”

  1. The Consumer Privacy Policy also states that:

  1. CHS is committed to ensuring that people who access care at CHS have their privacy safeguarded; a goal that will be achieved by ensuring that all personal health information that CHS holds is secure and protected from unauthorised access or misuse,

  1. The procedural deficiencies described above, and which for the most part could easily have been avoided, tip the balance in favour of a finding that the dismissal was unreasonable. It follows that I am satisfied that Ms Sandland has been unfairly dismissed.

Remedy

  1. I am satisfied that reinstatement is inappropriate in the circumstances of the case. It is difficult to see how CHS could have the necessary confidence in Ms Sandland’s commitment to patient privacy in accordance with her legal, professional, and contractual obligations in the future. I am, however, satisfied that a remedy of compensation is an appropriate remedy in the circumstances of this case.

  1. Effect on business viability: There is no basis to find that an order for compensation will have a material effect on the viability of CHS.

  1. Length of service: Ms Sandland was employed for approximately 6 years and 4 months. Although this might have affected her entitlement to notice of termination, Ms Sandland was dismissed for serious misconduct and for the reasons above, her conduct met this description. Accordingly, she was not entitled to notice of termination.

  1. Remuneration lost: Having now had the benefit of Ms Sandland’s response to the allegations, I find that dismissal was the likely outcome even if more time had been allowed for her to engage with the disciplinary process. But a more careful and considered approach on the part of CHS would have seen Ms Sandland to remain in employment for a further 4 weeks - sufficient time for CHS to complete its preliminary audit of her emails, provide Ms Sandland with additional time to respond or indicate that she no longer wished to respond, and again review the factual matrix it was faced with before making a final decision on sanction.

  1. If Ms Sandland had worked for a further 4 weeks in CHS, she would have earned a further $5,418.69 gross plus superannuation.

  1. Mitigation:  Ms Sandland has effectively mitigated her loss on and from 27 March 2023 as explained above.

  1. Remuneration earned: Ms Sandland’s earnings in the 4-week period of anticipated employment are nil and no adjustment will be made on this account.

  1. Likely future income: The order for compensation will be payable within 28 days. In this period, Ms Sandland is likely to earn further income in the form of wages and superannuation from the ANMF. This falls outside the anticipated period of employment and does not affect the amount of compensation awarded.

  1. Other relevant matters: There are no other matters relevant to the assessment of compensation.

  1. Contingencies and taxation: Given the short period of anticipated employment, no adjustment is necessary to account for contingencies. Similarly, there is no reason to consider that the compensation amount will be unduly taxed. That is a matter to leave to the parties to deal with in the ordinary way.

  1. Misconduct: I considered Ms Sandland’s contribution to the circumstances that led to her dismissal in determining the anticipated period of continuing employment. It is not appropriate in those circumstances to further adjust the compensation amount.

  1. Overall: I am satisfied that the amount of compensation is appropriate having regard to all the circumstances of the case. It reflects my estimate of Ms Sandland’s likely loss had she not been unfairly dismissed. The amount of compensation does not include any amount for shock, distress or the like and does not exceed the statutory cap.

  1. I will order CHS to pay Ms Sandland $5,418.69 gross, less applicable taxation, plus superannuation on the compensation amount. No submission has been made in support of payment of any compensation amount by instalments and no such order will be made. The amount will be payable within 28 days of this decision.

COMMISSIONER

Appearances:

M Gibian of Counsel for the applicant.
K Weir of Counsel for the respondent.

Hearing details:

2023.
Canberra:
July 11, 12.
August 25.

Annexure – Relevant regulatory framework

Meaning of serious misconduct

  1. For the purposes of the Agreement, “serious misconduct” has the meaning given to it by Regulation 1.07 of the Fair Work Regulations 2009 (the Regulations), which provides:

Meaning of serious misconduct

(1)For the definition of serious misconduct in section 12 of the Act, serious misconduct has its ordinary meaning.

(2)For subregulation (1), conduct that is serious misconduct includes both of the following:

(a) wilful or deliberate behaviour by an employee that is inconsistent with the continuation of the contract of employment;

(b) conduct that causes serious and imminent risk to:

(i) the health or safety of a person; or

(ii) the reputation, viability or profitability of the employer’s business.

(3)For subregulation (1), conduct that is serious misconduct includes each of the following:

(a) the employee, in the course of the employee’s employment, engaging in:

(i) theft; or

(ii) fraud; or

(iii) assault; or

(iv) sexual harassment;

(b) the employee being intoxicated at work;

(c) the employee refusing to carry out a lawful and reasonable instruction that is consistent with the employee’s contract of employment.

(4)Subregulation (3) does not apply if the employee is able to show that, in the circumstances, the conduct engaged in by the employee was not conduct that made employment in the period of notice unreasonable.

(5)For paragraph (3)(b), an employee is taken to be intoxicated if the employee’s faculties are, by reason of the employee being under the influence of intoxicating liquor or a drug (except a drug administered by, or taken in accordance with the directions of, a person lawfully authorised to administer the drug), so impaired that the employee is unfit to be entrusted with the employee’s duties or with any duty that the employee may be called upon to perform.”

The Health Records Act and the Privacy Principles

  1. Section 6 of the Health Records Act requires compliance with the privacy principles, including in relation to personal information and personal health information:

6          Compliance with privacy principles

(1)       A person to whom a privacy principle applies must not, without lawful authority, contravene the privacy principle.

(2)       A person is taken not to have lawful authority to contravene a privacy principle unless the person proves that, in the circumstances, compliance with the privacy principle would have contravened—

(a)       a law of the Territory; or

(b)       a law of the Commonwealth; or

(c)       an order of a court of competent jurisdiction.”

  1. The terms “consumer”, “health record”, “personal information” and “personal health information” are defined in the Dictionary to the Health Records Act:

collector means a person who, in the course of their profession, employment or official duty, collects personal health information.”

consumer means an individual who uses, or has used, a health service, or in relation to whom a health record has been created…”

health record means any record, or any part of a record—

(a)held by a health service provider and containing personal information; or

(b)containing personal health information.”

health service means—

(a) any activity that is intended or claimed (expressly or by implication), by the person providing it, to assess, record, improve or maintain the physical, mental or emotional health of a consumer or to diagnose or treat an illness or disability of a consumer; or

(b) a disability, palliative care or aged care service that involves the making or keeping of personal health information;

but does not include any service declared by regulation to be an exempt service.”

health service provider means an entity that provides a health service.”

“personal information, in relation to a consumer, means any information, recorded or otherwise, about the consumer where the identity of the consumer is apparent, whether the information is—

(a) fact or opinion; or

(b) true or false.”

personal health information, of a consumer, means any personal information, whether or not recorded in a health record—

(a) relating to the health, an illness or a disability of the consumer; or

(b) collected by a health service provider in relation to the health, an illness or a disability of the consumer.”

  1. Privacy Principle 1(3) deals with the collection and use of personal health information as part of their employment:

“Where personal health information or health records are required to be collected by someone as part of their employment for the management, funding or quality of a health service received by the consumer, then that person is allowed access to the information only for those purposes, unless these principles otherwise provide.”

  1. Privacy Principle 4.1 contains safekeeping requirements for the storage, security and destruction of personal health information obligations:

Principle 4.1:  Storage, security and destruction of personal health information—safekeeping requirement

1A record keeper who has possession or control of a health record must ensure that—

(a)the record is protected, by reasonable security safeguards, against each of the following:

(i)loss;

(ii)unauthorised access, use, modification or disclosure;

(iii)other misuse; and

(b)if the record is given to another entity—everything reasonably within the power of the record keeper is done to prevent unauthorised use or disclosure of any information contained in the record.

2A record keeper must keep, and must not destroy, a health record about a consumer, even if it is later found or claimed to be inaccurate.

3However, clause 2 does not apply to the destruction of a health record about a consumer if—

(a)the destruction is required or allowed under a law of the Territory; or

(b)the destruction is not prohibited under any other law and happens after—

(i)if the consumer is under 18 years old when the information is collected—the day the consumer turns 25 years old; or

(ii)if the consumer is an adult when the information is collected—7 years after the day a service was last provided to the consumer by the record keeper; or

(c)an electronic copy of the record has been generated—

(i)by a method described in the Electronic Transactions Act 2001, section 11 (2) (b); and

(ii)when the record is destroyed it is reasonable to expect that the information contained in the electronic copy will be readily accessible so as to be useable for subsequent reference.”

  1. Privacy Principle 10 deals with limits on the disclosure of personal health information:

Principle 10:   Limits on disclosure of personal health information

1A record keeper who has possession or control of a health record must not disclose personal health information about a consumer from the record to an entity other than the consumer.

2Clause 1 does not apply to the disclosure of personal health information about a consumer to an entity if—

(a)the information is being shared between members of a treating team for the consumer only to the extent necessary to improve or maintain the consumer’s health or manage a disability of the consumer; or

(b)the consumer is reasonably likely to have been aware, or to have been made aware under principle 2, that information of the kind disclosed is usually disclosed to the entity; or

(c)the consumer has consented to the disclosure; or

(d)the record keeper believes, on reasonable grounds, that the disclosure is necessary to prevent or lessen a serious and imminent risk to the life or physical, mental or emotional health of the consumer or someone else; or

(e)the disclosure is required or allowed under—

(i)a law of the Territory (including this Act); or

NoteDisclosure is allowed under cl 8, cl 9 and cl 10.

(ii)a law of the Commonwealth; or

(iii)an order of a court; or

(f)the disclosure of the information is necessary for the management, funding or quality of the health service received, or being received, by the consumer.

3Clause 1 also does not apply to the disclosure of personal health information about a consumer to an entity if—

(a)the disclosure is necessary for the purpose of research or the compilation or analysis of statistics, in the public interest; and

(b)it is impracticable to seek the consumer’s consent before disclosure; and

(c)the purpose mentioned in paragraph (a) cannot be achieved by the disclosure of information that does not identify the consumer and from which the consumer’s identity cannot reasonably be worked out; and

(d)the entity is required for any disclosed information (identifiable information) that identifies the consumer, or from which the consumer’s identity can be reasonably worked out—

(i)to provide protection that is at least equal to that of this Act and that prevents any further disclosure of it; and

(ii)to take reasonable steps to deidentify the information and destroy identifiable information at the earliest possible opportunity; and

(iii)to ensure that identifiable information is not made publicly available.

(e)the disclosure is in accordance with guidelines prescribed by regulation for this clause; and

(f)the record keeper believes, on reasonable grounds, that the recipient of the health information will not disclose the personal health information.

4Clause 1 also does not apply to the disclosure of personal health information about a consumer to the consumer’s carer if—

(a)the consumer cannot give or withhold consent to the disclosure, whether or not because the consumer is a—

(i)child or a young person who does not have sufficient maturity and developmental capacity to understand the nature of the young person’s request to access a health record and the nature of the record; or

(ii)legally incompetent person; and

(b)in the record keeper’s opinion, the disclosure is necessary to enable the carer to safely and effectively provide appropriate services to, or care for, the consumer.

5In relation to the sharing of information among the treating team under clause 2 (a), unless it is obvious from the circumstances and context of the health service, the person in charge of the treating team must tell the consumer about the identity of each member of the treating team who will have access to the personal health information about the consumer.

6However, the treating team leader need not tell the consumer about the identity of individuals who are required to handle health records, or personal health information about the consumer, for the management, funding or quality of the health service received, or being received, by the consumer.

7A consent given by a consumer for clause 2 (c) must—

(a)be in writing and signed—

(i)if the consumer is a child or a young person who does not have sufficient maturity and developmental capacity to understand the nature of the young person’s request to access a health record and the nature of the record—by a person with parental responsibility for the consumer; or

(ii)if the consumer is a legally incompetent person—by a guardian of the consumer; or

(iii)in any other case—by the consumer; and

(b)name the health service provider who made the record.

8An entity to which information is disclosed under clause 2, clause 3 or clause 4 must not use or disclose the information for a purpose other than the purpose for which the information was given to the entity.

9If there is an emergency and a consumer cannot give or withhold consent to the disclosure of personal health information about the consumer, the treating health service provider may discuss relevant personal health information with an immediate family member of the consumer to the extent reasonable and necessary for the proper treatment of the consumer.

10A treating health service provider for a consumer may disclose personal health information about the consumer to the consumer’s carer if—

(a)the consumer cannot give or withhold consent to the disclosure, whether or not because the consumer is a child, young person who does not have sufficient maturity and developmental capacity to understand the nature of the young person’s request to access the health record and the nature of the record or legally incompetent person; and

(b)in the provider’s opinion, the disclosure is necessary to enable the carer to safely and effectively provide appropriate services to, or care for, the consumer.

11A treating health service provider for a consumer may disclose personal health information about the consumer to an immediate family member if—

(a)the consumer cannot give or withhold consent to the disclosure, whether or not because the consumer is—

(i)a child or a young person who does not have sufficient maturity and developmental capacity to understand the nature of the young person’s request to access the health record and the nature of the record; or

(ii)a legally incompetent person; and

(b)the disclosure is made for compassionate reasons; and

(c)the provider believes, on reasonable grounds, that the disclosure would be, or would have been, expected by the consumer; and

(d)the disclosure is not contrary to any wishes previously expressed by the consumer of which the provider is aware or ought reasonably to be aware.

12In this principle:

carer, of a consumer, means a person who gives care, support or assistance to the consumer but does not include—

(a)a person who gives short-term care, support or assistance to the consumer; or

(b)a person who gives care, support or assistance to the consumer—

(i)under a commercial arrangement, or an arrangement that is substantially commercial; or

(ii)in the course of doing voluntary work for a charitable, welfare or community organisation; or

(iii)as part of a course of education or training; or

(c)a person just because the person—

(i)is the domestic partner, parent, child or other relative, or guardian of the consumer; or

(ii)lives with the consumer.

The Public Sector Management Act 1994 (ACT)

  1. Section 9 of the PSM Act deals with public sector conduct. It provides as follows:

“(1)A public servant must—

(a)take all reasonable steps to avoid a conflict of interest; and

(b)declare or manage a conflict of interest that cannot reasonably be avoided; and

(c)when acting in connection with the public servant’s job—

(i)comply with laws applying in the Territory; and

(ii)comply with any lawful and reasonable direction given by a person with the authority to give the direction; and

(iii)if dealing with a member of the public—make all reasonable efforts to help the person to understand the person’s entitlements, and any requirement the person is obliged to meet, under a territory law; and

(iv)treat all people with courtesy and sensitivity to their rights and aspirations; and

(d)do the public servant’s job with reasonable care and diligence, impartiality and honesty.

(2)A public servant must not—

(a)behave in a way that—

(i)is inconsistent with the public sector values; or

(ii)undermines the integrity and reputation of the service; or

(b)take improper advantage of the public servant’s job or information gained through the public servant’s job; or

(c)improperly use a Territory resource, including information, accessed through the public servant’s job; or

(d)without lawful authority—

(i)disclose confidential information gained through the public servant’s job; or

NoteThe Crimes Act 1900, s 153 (1) makes it an offence for a public servant to disclose information that it is the public servant’s duty not to disclose.

(ii)make a comment that reasonably appears to be an official comment; or

(e)when acting in connection with the public servant’s job—bully, harass or intimidate anyone; or

(f)when doing the public servant’s job—apply improper influence, favouritism or patronage.

(3)For a misconduct procedure, failing to act in a way that is consistent with subsection (1) or (2) may be misconduct.

NoteA misconduct procedure means a procedure set out in an industrial instrument or prescribed by regulation (see dict, def misconduct procedure).

(4)A public servant (a discloser) must tell the following person about any maladministration or corrupt or fraudulent conduct by a public servant or a public sector member of which the discloser becomes aware:

(a)the head of service;

(b)if the alleged maladministration or corrupt or fraudulent conduct is by the head of service—

(i)the director-general of the administrative unit in which the public servant is employed; or

(ii)if the head of service is the director-general of the administrative unit in which the public servant is employed—another director-general.

(5)This section does not—

(a)affect the operation of any other Act; or

(b)create or affect any other legal right.”

Section 153 of the Crimes Act 1900

  1. Section 153 of the Crimes Act 1900 (ACT) deals with disclosure of information by territory officer:

“(1)A person who, being an officer of the Territory, publishes or communicates, except to some person to whom he or she is authorised to publish or communicate it, any fact or document which comes to his or her knowledge, or into his or her possession, by virtue of him or her being an officer of the Territory and which it is his or her duty not to disclose, commits an offence.

Maximum penalty: 50 penalty units, imprisonment for 2 years or both.

(2)A person who, having been an officer of the Territory, publishes or communicates, without lawful authority, any fact or document which came to his or her knowledge, or into his or her possession, by virtue of the person having been an officer of the Territory and which, at the time when he or she ceased to be an officer of the Territory, it was his or her duty not to disclose, commits an offence.

Maximum penalty: 50 penalty units, imprisonment for 2 years or both.

(3)       In this section:

officer of the Territory means—

(a)   a public employee; or

(b)   a person who performs services for the Territory or a territory authority.”

The Enrolled nurse standards for practice

  1. The Enrolled Nurse Standards for Practice contain “the core practice standards that provide the framework for assessing enrolled nurse (EN) practice”.

  1. Standard 1 deals with lawful nursing practice. Compliance with Standard 1 means that an EN:

“1.1Demonstrates knowledge and understanding of commonwealth, state and /or territory legislation and common law pertinent to nursing practice.

1.2Fulfils the duty of care in the undertaking of EN practice.

1.3 Demonstrates knowledge of and implications for the NMBA standards, codes and guidelines, workplace policies and procedural guidelines applicable to enrolled nursing practice.

1.4 Provides nursing care according to the agreed plan of care, professional standards, workplace policies and procedural guidelines.

1.5 Identifies and clarifies EN responsibilities for aspects of delegated care working in collaboration with the RN and multidisciplinary health care team.

1.6 Recognises own limitations in practice and competence and seeks guidance from the RN and help as necessary.

1.7 Refrains from undertaking activities where competence has not been demonstrated and appropriate education, training and experience has not been undertaken.

1.8 Acts to ensure safe outcomes for others by recognising the need to protect people and reporting the risk of potential for harm.

1.9 When incidents of unsafe practice occur, reports immediately to the RN and other persons in authority and, where appropriate, explores ways to prevent recurrence.

1.10 Liaises and negotiates with the RN and other appropriate personnel to ensure that needs and rights of people in receipt of care are addressed and upheld.”

  1. Standard 2 deals with patient-centred care. Compliance with Standard 2 means that an EN:

“2.1Places the people receiving care at the centre of care and supports them to make informed choices.

2.2      Practises in accordance with the NMBA standards codes and guidelines.

2.3 Demonstrates respect for others to whom care is provided regardless of ethnicity, culture, religion, age, gender, sexual preference, physical or mental state, differing values and beliefs.

2.4      Practises culturally safe care for

(i)        Aboriginal and Torres Strait Islander peoples; and

(ii)       people from all other cultures.

2.5Forms therapeutic relationships with people receiving care and others recognising professional boundaries.

2.6 Maintains equitable care when addressing people’s differing values and beliefs.

2.7 Ensures privacy, dignity and confidentiality when providing care.

2.8 Clarifies with the RN and relevant members of the multi-disciplinary healthcare team when interventions or treatments appear unclear or inappropriate.

2.9 Reports incidents of unethical behaviour immediately to the person in authority and, where appropriate, explores ways to prevent recurrence.

2.10 Acknowledges and accommodates, wherever possible, preferences of people receiving nursing care.”


[1] The approved initial audit period was 18–19 January 2022. However, it appears from the audit results that this was a typographical error and that the actual audit conducted at this time was of emails sent from 18-19 January 2023.

[2] Health Records (Privacy and Access) Act 1997 (ACT), s.3; Explanatory Memorandum to the Health Records (Privacy and Access) Bill 1997.

[3] Legislation Act 2001 (ACT), s.160.

[4] Legislation Act 2001 (ACT).

[5] Legislation Act 2001 (ACT), s.184A.

[6] Comptroller-General of Customs v Zappia [2018] HCA 54 at [30]; 265 CLR 416.

[7] Breen v Williams [1996] HCA 57; 186 CLR 71.

[8] Fair Work Act 2009 (Cth), s.535.

[9] Comptroller-General of Customs v Zappia [2018] HCA 54; 265 CLR 416.

[10] Macquarie Dictionary Online, meaning of “apparent”.

[11] Health Records Act, Schedule 1, Privacy Principle 10.

[12] For example, Privacy Act 1988 (Cth). s.6 (definition of “personal information”); Information Privacy Act 2014 (ACT), s.8 (definition of “personal information”).

[13] Macquarie Dictionary Online, meaning of “identity”.

[14] Cambridge Dictionary, meaning of “identity”.

[15] Email from Sam Oram to Carol Sandland, 25 November 2022 at 4.23pm.

Printed by authority of the Commonwealth Government Printer

<PR769547>

Actions
Download as PDF Download as Word Document


Cases Citing This Decision

1

Cases Cited

2

Statutory Material Cited

0

Breen v Williams [1996] HCA 57