DXJ v Health Administration Corporation

Civil and Administrative Tribunal

New South Wales

Medium Neutral Citation:	DXJ v Health Administration Corporation [2019] NSWCATAD 230
Hearing dates:	On the papers
Date of orders:	06 November 2019
Decision date:	06 November 2019
Jurisdiction:	Administrative and Equal Opportunity Division
Before:	C Ludlow, Senior Member
Decision:	(1) Pursuant to s 50(2) of the Civil and Administrative Tribunal Act 2013 the Tribunal dispenses with a hearing in these proceedings. (2)   The Tribunal finds that the conduct of the respondent under review did not breach Health Privacy Principle 10. (3) Pursuant to s 55(2) of the Privacy and Personal Information Protection Act 1998 no action will be taken in the matter.
Catchwords:	ADMINISTRATIVE LAW – privacy – health information – purpose of collection – use or disclosure – whether purpose of use was the same as the purpose for which the information was collected
Legislation Cited:	Civil and Administrative Tribunal Act 2013 Heath Records Information Privacy Act 2002 Privacy and Personal Information Protection Act 1998
Cases Cited:	AF v Minister for Health [2012] NSWADTAP 61 ALZ v Workcover NSW [2015] NSWCATAP 138; ALZ v SafeWork NSW (No 2) [2016] NSWCATAD 121 BVS v Sydney Local Health District [2015] NSW CATAD 171 CBL v Southern Cross University [2018] NSWCATAP 236 FM v Macquarie University [2003] NSWADT 78 GL v Department of Education and Training [2003] NSWADT 166 JD v Department of Health (NSW) [2005] NSWADTAP 44 NZ v Department of Housing [2005] NSWADT 58 OA v Department of Housing [2005] NSWADT 233 RL v Department of Education and Training [2009] NSWADT 257 ZR v Department of Education and Training [2010] NSWADTAP 75
Texts Cited:	None cited
Category:	Principal judgment
Parties:	DXJ (Applicant) Health Administration Corporation (Respondent)
Representation:	Solicitors: Applicant (Self Represented) Crown Solicitor (Respondent)
File Number(s):	2019/00199354
Publication restriction:	Pursuant to s64(1)(a) of the Civil and Administrative Tribunal Act 2013 the publication of the name of the applicant is prohibited.

REASONS FOR DECISION

Background

1. This is an application for a review of conduct under the Health Records and Information Privacy Act 2002 (“the HRIP Act”). The applicant complained that her confidential medical information had been shared unnecessarily with her work colleagues and senior managers without her consent.

2. The following facts are agreed by the parties. The applicant is an employee of the respondent. On 11 August 2017 she made a request to her employer for permission to use a treadmill workstation at work. The request was made to Ms Leanne Abernethy, Manager Workers Compensation and Injury Management, and Ms Victoria Hiley, Deputy Director People and Culture. The request included health information, in particular, that she had a specified health condition (varicose veins). She was asked to sign an authority to release form by the respondent which authorised her employer to share information about her health condition with “relevant stakeholders” in relation to management of the condition.

3. The letter from Ms Janet Barry, Human Resources Officer/Recovery Coordinator, dated 23 August 2017, enclosing the authority to release, stated in part:

“Your confidentiality will be assured regarding any information provided and will only be shared on a need to know basis.”

4. I have reviewed the form which included the following statements:

“NSW Health Pathology [the former name of the respondent] is required to communicate with relevant stakeholders in order to assist in your rehabilitation and recovery at work…

I acknowledge that relevant stakeholders include but are not limited to my nominated treating doctor, specialists, hospital in-patient / out-patient or emergency attendances, physiotherapist, psychologist, rehabilitation providere and workforce (HR) delegate.

…

NSW Health Pathology recognises that this information is confidential and will not release this information to any person or organisation not involved in the management or consultation of my injury/illness without my permission. I understand that I may change or cancel this consent at any time by written notification to NSW Health Pathology, however my injury management and recovery at work may be affected.”

5. The respondent arranged for a medical examination of the applicant by Associate Professor Paul Myers. Assoc. Professor Myers provided the respondent with a report and concluded that:

“I cannot support any necessity for [DXJ] to have a treadmill at her place of work.”

6. On 17 November 2017 a Mr Darren Croese, Director of Operations, informed the applicant by letter that the respondent did not support her having a treadmill workstation at work.

7. The applicant sent an email to her employer on 7 December 2017 stating:

“I formally withdraw my consent to share my confidential information (medical, employment or otherwise) without my prior written consent.”

8. On 8 December 2017 the applicant emailed Ms Barry and Ms Hiley stating:

“I would like to submit this medical certificate and worker capability form.”

9. The certificate and form referred to a diagnosis of coronary artery disease and family history of cardiovascular disease. On 11 January 2018 the applicant wrote to Ms Hiley as follows:

“The medical certificate from Dr Pennington discussed my risk of cardiovascular disease and not varicose veins. It is an entirely separate medical matter and not addressed by the assessment from Prof Myers.

To my knowledge NSW Health Pathology have not sought an independent medical opinion with regard to this issue. The most appropriate specialist would be a cardiologist with an interest in lifestyle diseases.

As you will recall, I have withdrawn my general consent to freely share my medical information. So I would like to be sent an advanced copy of any proposed correspondence before it is distributed.”

10. On 20 June 2018 the applicant emailed the Chief Executive of the respondent requesting permission to use a treadmill workstation at her work. The email attached supporting material including medical certificates from a cardiologist, an exercise medicine physician and an endocrinologist. These discussed risks of cardiovascular disease and diabetes. There was no mention of varicose veins.

11. On 27 June 2018 Ms Victoria Hiley sent a draft letter to Ms Vanessa Janissen, the acting Chief Executive, for her consideration. The draft letter was addressed to the applicant and stated:

“You provided Ms Abernethy with medical evidence that you had varicose veins and prolonged sitting was leading to a worsening of your condition”

and otherwise referred to the details of the applicant’s medical condition, varicose veins, notwithstanding that the applicant had not referred to varicose veins in her email the Chief Executive.

12. On 27 June 2018 the Acting Chief Executive emailed Ms Hiley to indicate that she supported the letter as drafted and asked that her signature be applied to it.

13. On 17 December 2018 the applicant applied for an internal review of the conduct complained about as follows:

“In June 2018, I raised a different concern with the Chief Executive (CE). The CE contacted WH&S. The Acting CE then wrote back to me and discussed details of my previous unrelated medical condition. This information was provided to the CE by the WH&S department despite not being relevant to the matter I had raised.

Sharing my medical information with the CE was a breach of confidentiality because (a) the information was not relevant to the matter being discussed and (b) the WH&S knew they did not have my consent to share this information.”

14. The internal review found that there was no breach of the relevant Health Privacy Principles HPP 10 or 11 but made recommendations that:

1. The medical authority release form should be amended to include a statement that information may be used or disclosed for a purpose directly related to the primary purpose.

2. The NSW Health Privacy leaflet should be provided to individuals who are asked to sign the release.

3. Noting that failure to acknowledge the applicant’s withdrawal of her consent had contributed to the issues, the respondent should review its business practices to ensure withdrawal of consent is responded to appropriately.

Relevant legislation

15. Section 3 of the HRIP Act states:

“3 Purpose and objects of Act

(1)   The purpose of this Act is to promote fair and responsible handling of health information by:

(a)   protecting the privacy of an individual’s health information that is held in the public and private sectors, and

(b)   enabling individuals to gain access to their health information, and

(c)   providing an accessible framework for the resolution of complaints regarding the handling of health information.

(2)   The objects of this Act are:

(a)   to balance the public interest in protecting the privacy of health information with the public interest in the legitimate use of that information, and

(b)   to enhance the ability of individuals to be informed about their health care, and

(c)   to promote the provision of quality health services.”

16. Section 10 of the HRIP Act provides:

“10 Unsolicited information not considered “collected”

For the purposes of this Act, health information is not collected by an organisation if the receipt of the information by the organisation is unsolicited.”

17. Schedule 1 of the HRIP Act contains Health Privacy Principle 10 which states:

“10 Limits on use of health information

(1)   An organisation that holds health information must not use the information for a purpose (a secondary purpose) other than the purpose (the primary purpose) for which it was collected unless:

(a)   Consent

the individual to whom the information relates has consented to the use of the information for that secondary purpose, or

(b)   Direct relation

the secondary purpose is directly related to the primary purpose and the individual would reasonably expect the organisation to use the information for the secondary purpose, or

Note. For example, if information is collected in order to provide a health service to the individual, the use of the information to provide a further health service to the individual is a secondary purpose directly related to the primary purpose.

(c)    Serious threat to health or welfare

the use of the information for the secondary purpose is reasonably believed by the organisation to be necessary to lessen or prevent:

(i)   a serious and imminent threat to the life, health or safety of the individual or another person, or

(ii)   a serious threat to public health or public safety,

…

(2)   An organisation is not required to comply with a provision of this clause if:

(a)   the organisation is lawfully authorised or required not to comply with the provision concerned, or

(b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998).”

18. HPP 11 provides:

“11 Limits on disclosure of health information

(1)   An organisation that holds health information must not disclose the information for a purpose (a secondary purpose) other than the purpose (the primary purpose) for which it was collected unless:

(a)   Consent

the individual to whom the information relates has consented to the disclosure of the information for that secondary purpose, or

(b)   Direct relation

the secondary purpose is directly related to the primary purpose and the individual would reasonably expect the organisation to disclose the information for the secondary purpose, or

Note. For example, if information is collected in order to provide a health service to the individual, the disclosure of the information to provide a further health service to the individual is a secondary purpose directly related to the primary purpose.

(c)   Serious threat to health or welfare

the disclosure of the information for the secondary purpose is reasonably believed by the organisation to be necessary to lessen or prevent:

(i)   a serious and imminent threat to the life, health or safety of the individual or another person, or

(ii)   a serious threat to public health or public safety, …

(2)   An organisation is not required to comply with a provision of this clause if:

(a)   the organisation is lawfully authorised or required not to comply with the provision concerned, or

(b) non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998), or

(c)   the organisation is an investigative agency disclosing information to another investigative agency.

…”

19. Section 21 provides:

“21 Complaints against public sector agencies

(1) The following conduct by a public sector agency is conduct to which Part 5 (Review of certain conduct) of the PPIP Act applies:

(a)   the contravention of a Health Privacy Principle that applies to the agency,

(b)   the contravention of a health privacy code of practice that applies to the agency.

(2)   For that purpose, a reference in that Part:

(a)   to personal information is taken to include health information, and

(b)   to an information protection principle is taken to include a Health Privacy Principle, and

(c)   to a privacy code of practice is taken to include a health privacy code of practice.

(3)   This section applies only to conduct engaged in after the commencement of this section.”

20. Section 55 of the Privacy and Personal Information Protection Act 1998 (“the PPIP Act”) provides:

“55 Administrative review of conduct by Tribunal

(1)   If a person who has made an application for internal review under section 53 is not satisfied with:

(a)   the findings of the review, or

(b)   the action taken by the public sector agency in relation to the application,

the person may apply to the Civil and Administrative Tribunal for an administrative review under the Administrative Decisions Review Act 1997 of the conduct that was the subject of the application under section 53.

(1A) A person (the applicant) who is aggrieved by the conduct of a Minister (or a Minister’s personal staff) constituting a contravention of section 15 (Alteration of personal information) may apply to the Civil and Administrative Tribunal for an administrative review under the Administrative Decisions Review Act 1997 of the conduct.

(2)   On reviewing the conduct of the public sector agency concerned, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders:

(a)   subject to subsections (4) and (4A), an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct,

(b)   an order requiring the public sector agency to refrain from any conduct or action in contravention of an information protection principle or a privacy code of practice,

(c)   an order requiring the performance of an information protection principle or a privacy code of practice,

(d)   an order requiring personal information that has been disclosed to be corrected by the public sector agency,

(e)   an order requiring the public sector agency to take specified steps to remedy any loss or damage suffered by the applicant,

(f)   an order requiring the public sector agency not to disclose personal information contained in a public register,

(g)   such ancillary orders as the Tribunal thinks appropriate.

(3) Nothing in this section limits any other powers that the Tribunal has under Division 3 of Part 3 of Chapter 3 of the Administrative Decisions Review Act 1997.

(4)   The Tribunal may make an order under subsection (2) (a) only if:

(a)   the application relates to conduct that occurs after the end of the 12 month period following the date on which Division 1 of Part 2 commences, and

(b)   the Tribunal is satisfied that the applicant has suffered financial loss, or psychological or physical harm, because of the conduct of the public sector agency.

(4A)   The Tribunal may not make an order under subsection (2) (a) if:

(a)   the applicant is a convicted inmate or former convicted inmate or a spouse, partner (whether of the same or the opposite sex), relative, friend or an associate of a convicted inmate or former convicted inmate, and

(b)   the application relates to conduct of a public sector agency in relation to the convicted inmate or former convicted inmate, and

(c)   the conduct occurred while the convicted inmate or former convicted inmate was a convicted inmate, or relates to any period during which the convicted inmate or former convicted inmate was a convicted inmate.

(5)   If, in the course of an administrative review, the Tribunal is of the opinion that the chief executive officer or an employee of the public sector agency concerned has failed to exercise in good faith a function conferred or imposed on the officer or employee by or under this Act (including by or under a privacy code of practice), the Tribunal may take such measures as it considers appropriate to bring the matter to the attention of the responsible Minister (if any) for the public sector agency.

(6)   The Privacy Commissioner is to be notified by the Tribunal of any application for an administrative review. The Privacy Commissioner has a right to appear and be heard in any proceedings before the Tribunal in relation to an administrative review.

(7) The Information Commissioner is to be notified by the Tribunal of any application for a review under this section that concerns the provision of government information by an agency (within the meaning of the Government Information (Public Access) Act 2009). The Information Commissioner has a right to appear and be heard in any proceedings before the Tribunal in relation to such a review.”

Whether the proceedings may be determined without a hearing

21. Under s 50(2) of the Civil and Administrative Tribunal Act 2013 the Tribunal may make an order dispensing with a hearing if it is satisfied that the issues for determination can be adequately determined in the absence of the parties by considering any written submissions or any other documents or material lodged with the Tribunal.

22. The parties have had an opportunity to make submissions on this issue and they are in agreement that the proceedings do not require a hearing. There is no evidentiary dispute and the parties have prepared an agreed statement of facts. Both parties have filed written submissions.

23. I am satisfied that the issues can be adequately determined in the absence of the parties and I make an order under s 50(2) dispensing with a hearing in these proceedings.

The issues in the proceedings

24. The parties have agreed that the information that the applicant has varicose veins is “health information” within the meaning of the HRIP Act and it is this information which is the subject of the application.

25. The parties also agree that the conduct which is the subject of the application is:

1. The sharing of the details of the applicant’s medical condition, varicose veins, outside those people employed in the Work Health and Safety Unit of NSW Health Pathology after 7 December 2017 (ie. The date of the applicant’s email withdrawing her consent to share her confidential information without prior written consent) specifically with senior managers Darren Croese (Director of Operations), Martin Sainsbury (Executive Director of People and Culture) and Vanessa Janissen (Executive Director, Strategy and Reform who was acting Chief Executive at the relevant time.)

2. The respondent’s reference to the applicant’s health information, that she has varicose veins, in its response to her email of 20 June 2018 as set out in the Acting Chief Executive’s letter to the applicant dated 27 June 2018.

26. The letter from the Acting Chief Executive stated that she had sought advice from Ms Abernethy and that Ms Abernethy had advised her in part:

“You provided Ms Abernethy with medical evidence that you had varicose veins and that prolonged sitting was leading to a worsening of your condition”

and referred to the content of the report from Assoc. Professor Myers.

27. The applicant also submitted that the draft letter confused the two medical issues and implied that Assoc. Professor Myers’ assessment had been as an expert in cardiovascular medicine when his report was limited to varicose veins. The respondent does not agree with this submission.

28. The respondent submits that the information was used for the purpose for which it was collected (HPP 10), or, in the alternative, the information was used for a purpose which was directly related to the purpose for which it was collected and the individual would reasonably expect the respondent to use the information for that purpose (HPP 10(1)(b)). Further and in the alternative, non-compliance with HPP 10 was necessarily implied or reasonably contemplated under another Act or law, namely the Health Administration Act 1982, the Health Services Act 1997 and/or the Work Health and Safety Act 2011.

Whether the conduct under review involves use or disclosure

29. The respondent submitted that the information was not “disclosed” as it was not distributed to any person outside the agency. This submission relies on a line of Tribunal decisions including JD v Department of Health (NSW) [2005] NSWADT AP 44 and CBL v Southern Cross University [2018] NSWCATAP 236. The respondent contends that its handling of the information constituted a “use” of the information. “Use” has been described as referring to “the handling of personal information within the collecting agency”: NZ v Department of Housing [2005] NSWADT 58 at [69]. “Use” of information can mean to employ information, put it into service, turn it to account, avail oneself of it or apply it to one’s own purposes (GL v Department of Education and Training [2003] NSWADT 166 ; FM v Macquarie University [2003] NSWADT 78.)

30. The applicant has not disagreed with this interpretation. The agreed issues refer to “sharing” information with other individuals in the agency. The distinction between “disclosure” and “use” was discussed by the Appeal Panel of the Administrative Decisions Tribunal in AF v Minister for Health [2012] NSWADTAP 61 [at 102]:

'Use' is generally seen as referring to the internal use made of personal information by the collecting agency, whereas 'disclosure' is used to describe the act of supplying the information to a third party external to the agency.

31. See also BVS v Sydney Local Health District [2015] NSW CATAD 171.

32. Accordingly it is established that personal information and health information cannot be “disclosed” if it has not been disclosed outside the agency. The evidence and the agreed issues do not indicate that any information was disclosed outside the agency without consent. The issue in the proceedings is whether HPP 10, which deals with use of information, was breached by the conduct.

Whether the information was used for the purpose for which it was collected

33. HPP 10 provides that an agency must not use information it holds for a purpose other than that for which it collected it (the primary purpose), with some exceptions. Whether the agency had in fact collected the information was not addressed in the parties’ submissions. The applicant initially provided the information about her condition with her request. However the respondent in my view collected information about her condition when it obtained permission to share it and when it arranged to obtain an expert report.

34. The respondent submits that the primary purpose was to assist in determining if the applicant would be permitted to use a treadmill workstation at work.

35. The applicant submits that the primary purpose was to ascertain if any workplace changes could be implemented to decrease the progression of the disease. She refers to an email from Ms Hiley which stated that Professor Myers had been asked to comment “on your condition and what adjustments are needed for it, not treadmills per se.” The correspondence shows that this was in response to an email from the applicant where she queried why her application for a treadmill had been sent to Professor Myers separately and had not been copied to her.

36. The applicant first provided the information with her request to use a treadmill workstation at work. This is evident from the words of the request of the applicant dated 11 August 2017 which states:

“I have a long standing history of varicose veins which have required treatment on several occasions. Please see the attached letter from my specialist written in support of my application for a treadmill workstation.”

37. The primary purpose is the purpose for which the agency collected the health information. This Tribunal has held that in the case of information which is “collected” by the agency deciding to retain and investigate the information, the relevant purpose is the purpose of the agency when deciding to keep the information (OA v Department of Housing [2005] NSWADT 233 and RL v Department of Education and Training [2009] NSWADT 257).

38. Applying this authority to the issue, I consider that the respondent’s primary purpose was not to attempt to decrease the progression of her medical condition, as the applicant submits. The respondent did obtain her permission to disclose the information outside the agency for the purpose of obtaining a medical assessment, but the information was collected for the purpose of her employer determining whether she would be permitted to use a treadmill workstation at work. This was the primary purpose.

39. There are two instances of conduct which it is alleged the respondent breached HPP 10, by using the information for a secondary purpose which was not the same as the primary purpose.

The sharing of the information outside the persons employed in the Work Health and Safety Unit of the respondent after 7 December 2017 – namely Darren Croese, Martin Sainsbury and Vanessa Janissen

40. Mr Croese wrote to the applicant on 17 November 2017 declining her request for a treadmill workstation, therefore the information was shared with him prior to 7 December 2017. Mr Sainsbury was the Executive Director of People and Culture and reported directly to the Chief Executive. There is evidence in an email from Ms Hiley that she sought comment from Mr Croese and Mr Sainsbury on or about 27 June 2018 in preparing her letter for the Acting Chief Executive to sign and be sent to the applicant declining her request. The draft letter referred to Mr Croese’s view on whether the applicant’s request should be granted and the reasons for his view.

41. Ms Janissen was the Acting Chief Executive at the time and the information was shared with her in the draft letter for her signature.

42. From the available evidence I am satisfied that the sharing of the information with these individuals was for the purpose of responding to the applicant’s request to be permitted to use a treadmill workstation at work.

Referring to the information in the Acting Chief Executive’s letter to the applicant dated 27 June 2018.

43. There is no evidence from Ms Hiley concerning the purpose of including the information in the draft letter. The available evidence, however, including the letter itself and the email from Ms Hiley to the Acting Chief Executive, supports a finding that the information was used in the draft letter to assist the Acting Chief Executive to determine how to respond to the request from the applicant to be permitted to use a treadmill workstation at work.

44. I accept that the applicant does not agree that the information about the varicose vein condition was relevant to the issue to be determined in June 2018, as she had relied on a different health condition second application with reference to a different health condition. Whether the determination was based on irrelevant considerations, however, is not a matter governed by the PPIP Act or HRIP Act and the Tribunal may not review the decision in that sense (ZR v Department of Education and Training [2010] NSWADTAP 75 at [74]). Moreover the Tribunal has held where the information was unsolicited, that it is the purpose for which the information is obtained by the respondent which is relevant, not the purpose for which the individual created or provided it (ALZ v Workcover NSW [2015] NSWCATAP 138 at [101-103]; ALZ v SafeWork NSW (No 2) [2016] NSWCATAD 121 at [52-54, 64]).

45. I am satisfied that the respondent collected the information for the purpose of assisting it in determining whether the applicant should be permitted to use a treadmill workstation at work. While there were two requests, they sought the same outcome and were made within the same employment relationship. The fact that the medical grounds relied on by the applicant differed did not affect the purpose for which the information was collected and used by the respondent.

Conclusion

46. I have concluded that the information was collected by the respondent for the purpose of assisting the respondent to determine whether the applicant should be permitted to use a treadmill workstation at work; and the information was used by the respondent for the same purpose.

47. Accordingly, in my view, the conduct of the respondent in sharing the information with the named persons and referring to it in the letter from the Acting Chief Executive involved using the information for the primary purpose for which it was collected, and therefore the respondent has not breached HPP 10. Given these findings it is appropriate to take no action.

Orders

1. Pursuant to s 50(2) of the Civil and Administrative Tribunal Act 2013 the Tribunal dispenses with a hearing in these proceedings.

2. The Tribunal finds that the conduct of the respondent under review did not breach Health Privacy Principle 10.

3. Pursuant to s 55(2) of the Privacy and Personal Information Protection Act 1998 no action will be taken in the matter.

**********

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.

Registrar

Decision last updated: 06 November 2019