FQW v NSW Health Pathology South

Case

[2024] NSWCATAD 174

27 June 2024

No judgment structure available for this case.

Civil and Administrative Tribunal


New South Wales

Medium Neutral Citation: FQW v NSW Health Pathology South [2024] NSWCATAD 174
Hearing dates: 12 October 2023
Date of orders: 27 June 2024
Decision date: 27 June 2024
Jurisdiction:Administrative and Equal Opportunity Division
Before: S Higgins, Senior Member
Decision:

(1)   The Tribunal takes no further action on the administrative review application before it.

(2) Pursuant to s 64(1)(a) of the Civil and Administrative Tribunal Act 2013 (NSW), the disclosure of the name of the applicant, the applicant’s child and the name of the former employee of the respondent named in the material filed by the parties is prohibited.

(3) Pursuant to s 64(1)(d) of the Civil and Administrative Tribunal Act 2013 (NSW), the disclosure to the applicant of the evidence in; (a) Attachment Conf-MR-1 to the statement of Mathew Ryan dated 6 July 2023, and (b) the documents provided to the Tribunal in confidence, by the respondent, on 10 November 2023 in accordance with the order made on 12 October 2024; is prohibited.

(4) Pursuant to s 64(1)(c) of the Civil and Administrative Tribunal Act 2013 (NSW), the publication of the matters contained in; (a) Attachment Conf-MR-1 to the statement of Mathew Ryan dated 6 July 2023, and (b) the documents provided to the Tribunal in confidence, by the respondent, on 10 November 2023 in accordance with the order made on 12 October 2024; is prohibited.

Catchwords:

ADMINISTRATIVE REVIEW – privacy – review of conduct of respondent public sector agency -

Legislation Cited:

Administrative Decisions Review Act (NSW)

Health Records and Information Privacy Act 2002 (NSW)

Privacy and Personal Information Protection Act 1998 (NSW)

Cases Cited:

BZX v Western Sydney Local Health District; BZY v Western Sydney Local Health District; BZZ v Western Sydney Local Health District [2015] NSWCATAD 210

Director General, Department of Education and Training v MT [2006] NSWCA 270

EQH v Health Administration Corporation (No. 2) [2022] NSWCATAD 45

FH v Commissioner, New South Wales Department of Corrective Services [2003] NSWADT 72

XW v Department of Education and Training [2009] NSWADT 73

Texts Cited:

None cited

Category:Principal judgment
Parties: FQW (Applicant)
NSW Health Pathology South (Respondent)
Representation: Solicitors:
Applicant (Self-represented)
Norton Rose Fulbright Australia (Respondent)
File Number(s): 2022/00385010
Publication restriction:

Pursuant to s 64(1)(a) of the Civil and Administrative Tribunal Act 2013 (NSW), the disclosure of the name of the applicant, the applicant’s child and the name of the former employee of the respondent named in the material filed by the parties is prohibited.

Pursuant to s 64(1)(d) of the Civil and Administrative Tribunal Act 2013 (NSW), the disclosure to the applicant of the evidence in (a) Attachment Conf-MR-1 to the statement of Mathew Ryan dated 6 July 2023, and (b) the documents provided to the Tribunal in confidence, by the respondent, on 10 November 2023 in accordance with the order made on 12 October 2024, is prohibited.

Pursuant to s 64(1)(c) of the Civil and Administrative Tribunal Act 2013 (NSW), the publication of (a) the matters contained in Attachment Conf-MR-1 to the statement of Mathew Ryan dated 6 July 2023, and (b) the documents provided to the Tribunal in confidence, by the respondent, on 10 November 2023 in accordance with the order made on 12 October 2024, is prohibited.

REASONS FOR DECISION

  1. The applicant, FQW, seeks administrative review of conduct of the respondent, NSW Health Pathology South, that she asserts to have been a contravention of the security, use and disclosure health privacy principles (HPPs) that applied to the respondent concerning her health information held by the respondent in its Laboratory Information Management System (LIM system or LIMS): Health Records and Information Privacy Act 2002 (NSW) (HRIP Act) Sch 1 cls 5, 10 and 11.

  2. It is accepted that the respondent is an organisation that collects, holds or uses heath information: see HRIP ss 4(1), 6 and 11(1). It is also accepted that the respondent is an organisation that is required to comply with the HPPs that are applicable to it and that it must not do any thing, or engage in any practice that contravenes a HPP that applies to it: see HRIP Act s 11(2) and (3).

  3. Schedule 1 of the HRIP Act prescribes 15 HPPs in relation to the collection, retention and security, access, amendment, accuracy, use and disclosure of health information. The HPP’s relevant to this application are HPP 5, 10 and 11 which relevantly provide as follows:

5 Retention and security

(1) An organisation that holds health information must ensure that:

(c) the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and…”

10   Limits on use of health information

(1) An organisation that holds health information must not use the information for a purpose (a secondary purpose) other than the purpose (the primary purpose) for which it was collected unless:

(a) Consent

the individual to whom the information relates has consented to the use of the information for that secondary purpose, or…”

11 Limits on disclosure of health information

(1) An organisation that holds health information must not disclose the information for a purpose (a secondary purpose) other than the purpose (the primary purpose) for which it was collected unless:

(a) Consent

the individual to whom the information relates has consented to the disclosure of the information for that secondary purpose, or…”

  1. In this application, it is not disputed that, on 7 September 2022, Ms M, an employee of the respondent, accessed the respondent’s LIM system to view the pathology test result of a blood sample taken from the applicant in August 2022. The pathology test result of the applicant on the respondent’s LIM system is health information about the applicant held by the respondent: HRIP Act ss 6 and 9.

  2. It is the applicant’s contention that the respondent is vicariously liable for the conduct of Ms M, which includes Ms M’s access to her health information and Ms M’s alleged use and disclosure of her health information to her then partner who is the former partner of the applicant and the father of the applicant’s youngest son.

  3. The respondent contends that it is not liable for the conduct of Ms M in accessing the applicant’s health information, because Ms M acted outside the terms of her employment, in breach of the NSW Health Code of Conduct and the respondent’s security and privacy management measures.

  4. The respondent also contends that it is not responsible for any use or disclosure (if any) of the applicant’s health information by Ms M as any such use or disclosure was outside the course of her employment.

  5. I heard the applicant’s application on 12 October 2023. On the application of the parties, I proceeded to hear the applicant’s application on the basis that I would first and foremost review the conduct the subject of the applicant’s application and determine whether the respondent had contravened HPP 5 (retention and security), HPP 10 (use) and/or HPP 11 (disclosure). At the conclusion of the hearing I reserved my decision and made an order: (a) that, by 27 October 2023, the respondent was to provide the Tribunal, on a confidential basis a copy of the personal and health information Ms M had accessed in relation to the applicant and her son, and written submissions (if any) relating to that information, and (b) that, by 10 November 2023, the applicant to provide the Tribunal and the respondent with written submissions or explanations relating to the submissions provided by the respondent in response to order (a).

Non- disclosure/publication orders

  1. The applicant’s application first came before me on 30 January 2023, where I made an order under s 64(1)(a) of the Civil and Administrative Tribunal Act 2013 (NSW) (NCAT Act), prohibiting the disclosure of the name of the applicant.

  2. On 26 July 2023, I made the following non-disclosure, non-publication orders:

  1. pursuant to s 64(1)(a) of the NCAT Act prohibiting the disclosure of the name of the applicant’s child and the name of the former employee of the respondent named in the material filed by the parties; and

  2. pursuant to s 64(1)(d) of the NCAT Act prohibiting the disclosure to the applicant of the evidence in Attachment Conf-MR-1 to the statement of Mathew Ryan dated 6 July 2023.

  1. It is appropriate to:

  1. amend order 10(2) above to include the documents provided to the Tribunal in confidence, by the respondent, on 10 November 2023 in accordance with the order made on 12 October 2024; and

  2. also make a non-publication order, under s 64(1)(c) of the NCAT Act, prohibiting the publication of the matters contained in Attachment Conf-Mr-1 to the statement of Matthew Ryan dated 6 July 2023 and the documents provided by the respondent in confidence to the Tribunal, on 10 November 2023, in accordance with the orders made on 12 October 2023,.

Tribunal’s jurisdiction and role

  1. The applicant’s application is brought under s 55(1) of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act): see HRIP Act s 21(1).

  2. Section 21(1) of the HRIP Act provides that Part 5 (Review of certain conduct) of the PPIP Act applies to conduct of a public sector agency that is or is alleged to be a contravention of a HPP that applies to the agency. Section 21(2) of the HRIP Act provides that for the purpose of s 21(1), a reference in Part 5 of the PPIP Act to ‘personal information’ is to be taken to include ‘health information’ and a reference to ‘information protection principle’ is to be taken to include a ‘Health Privacy Principle’.

  3. Section 55(1) of the PPIP Act relevantly provides as follows:

55   Administrative review of conduct by Tribunal

(1)  If a person who has made an application for internal review under section 53 is not satisfied with—

(a)  the findings of the review, or

(b)  the action taken by the public sector agency in relation to the application,

the person may apply to the Civil and Administrative Tribunal for an administrative review under the Administrative Decisions Review Act 1997 of the conduct that was the subject of the application under section 53.

  1. As noted above, the conduct the subject of the applicant’s internal review application is Ms M having, on 7 September 2022, accessed the applicant’s health information held on the respondent’s LIM system and, allegedly then using and disclosing that information to the applicant’s former partner.

  2. Section 55(2) of the PPIP Act provides that ‘on reviewing the conduct of the public sector agency concerned’ the Tribunal may decide to take no further action on the matter, or make an order of the kind prescribed in paragraphs (a) to (g) of that section.

  3. That the Tribunal has jurisdiction to hear and determine the applicant’s application is not disputed: Administrative Decisions Review Act 1997 (NSW) (ADR Act) s 7(2), s 55(1) of the PPIP Act and s 21(1) of the HRIP Act.

  4. The role of the Tribunal on administrative review is to decide the correct and preferable decision having regard to the material before it, including any relevant factual material and any applicable law: ADR Act s 63(1).

  5. In this decision, my task is to make findings, based on the material before the Tribunal and the relevant provisions of the HRIP Act, whether the conduct the subject of the applicant’s internal review application is conduct by the respondent that contravenes HPP 5 (retention and security), HPP 10 (use) and/or HPP 11 (HPP 11).

  6. On the material before the Tribunal and for the reasons that follow, I am not satisfied that the respondent has contravened HPP 5, HPP 10 or HPP 11 as alleged by the applicant.

Background

  1. On 12 September 2022, the applicant made a complaint, by telephone, to the respondent alleging that Ms M had, without authority, accessed her health information and disclosed it to her then partner who she knew to have been the applicant’s former partner and the father of the applicant’s youngest son. That complaint was subsequently made in writing.

  2. In response to the complaint, the respondent undertook an internal misconduct investigation. On 21 November 2022, the respondent wrote to the applicant and advised her of the findings of the misconduct investigation, which included a finding that Ms M’s alleged unauthorised access of the applicant’s health information had been substantiated. The respondent went on to advise that no conclusive evidence was found to support a finding that Ms M had communicated or transferred the applicant’s health information outside of the respondent. Some time prior to 21 December 2022, the applicant made a further complaint of unauthorised access, by Ms M, of her health information and that of her children.

  3. On 21 December 2022, the applicant lodged this application for administrative review. That application came before me at a case conference on 30 January 2023 where, I made an order, by consent, under s 65 of the ADR Act remitting the conduct the subject of the applicant’s complaint about her health information for reconsideration by the respondent.

  4. On 9 February 2023, the applicant lodged with the respondent a completed ‘NSW Health Pathology Privacy Internal Review application form’ seeking review of the conduct of Ms M regarding the accessing and disclosure of her health information.

  5. The respondent determined the applicant’s internal review application on 6 April 2023. In summary, the respondent found that a breach of a privacy principle relating to the applicant’s health information had not occurred, because:

  1. while Ms M had accessed the applicant’s medical records without a clinical justification to do so, she had acted outside the terms of her employment and in breach of the NSW Health Code of Conduct and the respondent’s security and privacy management measures. Accordingly, the respondent did not breach of HPP 5 (retention and security);

  2. any use of the applicant’s health information by Ms M was not for the purpose of her employment, so it could not be characterised as a use or disclosure by the respondent contrary to the requirements of HPP 10 (use); and

  3. it could not be established that a disclosure had occurred. Even if it could be established that Ms M disclosed the applicant’s health information to her partner, such conduct was outside the course of her employment and could not be characterised as a disclosure by the respondent contrary to the requirements of HPP 11 (disclosure).

  1. The respondent thanked the applicant for drawing the matter to its attention and apologised for the distress caused by the conduct of Ms M, who was disciplined and had subsequently resigned.

  2. As I have already noted, in this application the applicant seeks review of the conduct the subject of her initial complaint (as confirmed in the internal review application) and not a review of the respondent’s internal review determination/decision.

Material before the Tribunal

  1. In support of her case the applicant relies on a statement she made on 25 August 2023. The applicant also gave oral evidence at the hearing and was cross-examined by the solicitor for the respondent.

  2. On 21 November 2023, the applicant provided further written submissions in which she explained the impact that Ms M’s access to and disclosure of her health information had on her.

  3. In support of its case, the respondent relied on:

  1. a statement made, on 6 July 2023, by Matthew Ryan (Mr Ryan) the respondent’s Privacy, Right to Information and Records Officer. In his statement Mr Ryan made reference to a number of Attachments including Attachment Conf-MR-1 which contained the documents relevant to the respondent’s internal misconduct investigation, and for which the abovementioned non-disclosure and non-publication orders were made;

  2. a further statement made, on 21 September 2023, by Mr Ryan; and

  3. a statement made, on 10 July 2023, by Jelena Stojic (Ms Stojic) the Senior Operations Manager of the respondent within the Local Health District where the applicant had undergone pathology testing.

  1. Mr Ryan and Ms Stojic both gave oral evidence at the hearing, and they were cross-examined by the applicant.

  2. Both parties provided written submissions.

  3. The respondent also provided, in confidence, the Tribunal with a copy of the pathology test results of the applicant and her son that Ms M had accessed on LIMS in 2020 and 2022. Short written submissions were also provided.

The evidence

Applicant

  1. To the extent relevant to the issue of the conduct the subject applicant’s internal review application, the applicant said the following in her statement:

  1. on 20 August 2022, between 3.00 - 5.00pm an unknown person had spiked the applicant’s drink while she was at the local leagues club;

  2. on 21 August 2022, at about 12 noon, the applicant went to the local hospital due to the ill effects the spiked drink had on her and because she was having a mental breakdown. The nursing staff took blood samples from the applicant for testing and told her to wait in the spare room for a formal admission. At about 8.30pm the applicant left the hospital, without getting any test results, as she had been waiting eight hours and not been seen by anyone;

  3. on 10 September 2022, as her ex-partner walked past her at the local football ground he said to her: ‘How was your hospital visit a couple of weeks ago you meth head.’ She responded: ‘What are you talking about you are nuts’. Later on, the next day, at 10.16am, the applicant sent her ex-partner a text message in which she said: ‘Meth ??? Wow [Ms M] making up stories ... I’ll be ringing her job in the morning … I have my visit documented and recorded thanks u don’t know why I was there …’;

  4. later in the day on 11 September 2022, she called the local hospital and was told to call back the next day, which she did and lodged her complaint that Ms M had accessed the health records of herself. Subsequently, she lodged a written complaint; and

  5. a few weeks later in October 2022, she attended another local hospital seeking treatment for her mental health. She was initially refused treatment on the grounds that she was coming down from having methamphetamine in her system. She began crying as she could not understand why that was said to her – the doctor then apologised and gave her the results of her testing in August 2022. To her surprise ‘I found out that Methamphetamine had been in my system. I do not use Methamphetamine ever.

  1. In her oral evidence, the applicant said:

  1. her former partner was aware that she was on medication for a mental health condition. However, he did not know what medication she was taking;

  2. she knew that Ms M was employed by the respondent and working at the local hospital where she had attended on 21 August 2022. She knew this because she had seen Ms M wear a green polo shirt with the NSW Health Pathology logo on it; and

  3. on 10 September 2022, when her former partner said in passing that she was on ‘meth’, this was when she became concerned about Ms M having access to her health information.

  1. As noted above, in the written submissions provided by the applicant on 21 November 2023, the applicant explained what impact Ms M’s access to, and alleged disclosure of her health information had on her. Of particular concern to the applicant was the disclosure of health information that the applicant had not previously shared with anyone.

Respondent

Mr Ryan

  1. In his statement of 6 July 2023, Mr Ryan deals with the applicant’s initial complaint received in September 2022, the misconduct investigations conducted by the respondent as a result of that complaint, a subsequent complaint made by the applicant, the applicant’s internal review application, the review conducted by the respondent in respect of that complaint and the privacy management framework and security safeguards that the respondent has in place in order to keep health information that it holds secure.

  1. Regarding the complaints initially made by the applicant and the investigation thereof Mr Ryan said:

  1. he was first made aware of the applicant’s initial complaint on 13 September 2022, which was the day after the applicant had made her complaint in a telephone call;

  2. at the time, the applicant made her complaint, Ms M was employed by the respondent as a Technical Assistant in a laboratory of the respondent that was located within the Local Area Health District where the applicant was living. Ms M commenced working for the respondent in October 2014 and was granted access to the respondent’s LIMS data base to undertake the tasks assigned to her by the respondent;

  3. on 31 January 2023, he was advised that Ms M had resigned, of her own accord, from her employment with the respondent. That resignation being effective from 10 February 2023; and

  4. on 9 February 2023 he received the applicant’s internal review application.

  1. In conducting the internal review of the conduct, the subject of the applicant’s application, Mr Ryan said that he had regard to the following material:

  1. the misconduct investigations undertaken by the respondent (a copy of these having been provided to the Tribunal in confidence):

  1. the first misconduct investigation was undertaken after the applicant made her initial complaint. He explained that this investigation was split into two separate allegations, namely whether Ms M had accessed the applicant’s health information without a clinical or work-related basis for doing so (allegation 1); and whether Ms M had used or disclosed that information (allegation 2).

  2. the subsequent investigation was also split into two separate allegations, namely whether Ms M had accessed the LIMS records of the applicant and one of her children on multiple occasions without clinical or work-related basis for doing so (allegation 1); and whether Ms M had provided misleading information to the first misconduct investigation when she claimed she had not previously improperly accessed the applicant’s medical records (allegation 2). Both allegations were found to be substantiated based on a LIMS audit and Ms M’s admission that she had accessed the records. However, Ms M resigned and did not respond to these allegations;

  1. the audit reports from the LIMS data base that were originally retrieved during the first misconduct investigation and those that were undertaken as part of the internal review:

  1. Mr Ryan explained that Ms M only had access to the respondent’s LIMS data base;

  2. that the data base allows the respondent to retrospectively audit the log-in details used by the person who accessed a patient’s records;

  3. for the purpose of the internal review, the audit of the LIMS data base identified that Ms M’s log-in had been used to access the applicant’s record and that of one of her children on 30 October 2020, 18 November 2020, 15 January 2022, 24 February 2022 and 7 September 2022;

  1. the respondent’s privacy management framework and security safeguards, which were summarised as follows:

  1. user account controls such as passwords and unique username log-in;

  2. restriction of access to personal and health information to those staff that need to have access as part of their employment;

  3. access logs and the ability to generate audits;

  4. comprehensive privacy policies and procedure, including training and guidance for all staff who are required to have access to health and personal information as part of their employment. These policies and procedures included, the NSW Health Privacy Manual for Health Information, the Privacy Leaflet for NSWHP staff, the NSW Health Privacy Management Plan, NSW Code of Conduct, a requirement that staff sign a ‘Privacy Undertaking for Employee or Contractor’ form (Privacy Undertaking Form), Privacy Training Modules, corporate e-communications and the publication of Annual Privacy reports (a copy of some of these policies and procedures were attached to Mr Ryan’s statement) ;

  1. at [43], Mr Ryan explained that the LIMS audit function allowed the respondent to:

…[determine] which login has been used to access patient records and when. The audit function does not reveal the reason(s) for access. As noted above, it is most commonly used following a complaint or issue raised about access. There is no capability to proactively screen for access for unauthorised purposes and we do not have sufficient resource is to conduct ‘proactive’ audits, as staff access a significant number of medical records each day as part of their roles and checking the individual reasons for access would be prohibitive in terms of time and costs. Placing additional restrictions beyond those described above on the access to records for staff who are required to do so to perform their duties is also not practical. Staff need to have access to medical records without undue restrictions in order to deliver health services in a timely and efficient manner. We instead focus our efforts on our broader privacy framework such as privacy training, privacy undertakings, signed code of conduct and restricting access to only those who need it for their roles.

  1. Ms M had signed a Privacy Undertaking Form at the commencement of her employment in 2015. As part of her induction in November 2015, Ms M also successfully completed compulsory online ‘Privacy Module 1 – Know your Boundaries’;

  2. At [44] Mr Ryan said:

In summary, I found that there had not been a breach by [the respondent] of any of the applicable health privacy principles considered in this matter and that [the respondent] should not be held vicariously libel for the actions of Ms M, who clearly accessed the applicant’s information for purely personal reasons outside the terms and conditions of her employment, in this matter.

  1. In his subsequent statement, made on 21 September 2023, Mr Ryan explained:

  1. mandatory staff training for NSW health and its affiliates is not managed internally by the respondent. Instead, it is managed by a separate health entity, the Health Education and Training Institute (HETI). HETI provides on-line and face to face training. HETI also decides which training modules are mandatory and those that are not mandatory for NSW Health staff, including staff of the respondent. Privacy Module 1 (Know your Boundaries) is mandatory for all new staff and must be completed within one month of having commenced work and Privacy Module 2 (Handling Personal and Personal Health Information) is mandatory for individual staff involved in a privacy incident; and

  2. in late 2022, the respondent developed a privacy refresher training course which it runs several times a year and promoted through targeted communications with staff. It is not compulsory. In the rare instance that a privacy breach occurs, the respondent mandates that further training becomes compulsory for relevant staff members, and disciplinary action commensurate with the nature, scale and seriousness of the breach is taken. In this case additional training was not recommended because Ms M had acknowledged that her actions were contrary to her privacy obligations: - ‘Accordingly, the incident did not arise from a lack of understanding of privacy obligations and on the basis no further training was warranted.’

  1. In his oral evidence, Mr Ryan explained that audits of LIMS is undertaken by Human Resources staff – all audits are reactive and are not pro-active. There are tens of thousands of records held on the LIMS. The respondent employs about 5,000 staff. He said there had been 60 complaints in four years and the policy as to how these are to be dealt with have recently changed by giving a complainant an option to have their complaint dealt with informally or formally under s 53 of the PPIP Act.

Ms Stojic

  1. In her statement, Ms Stojic explained that:

  1. she had managerial oversight of the respondent’s three laboratories within the Local Health District. She has been in that role since October 2021;

  2. LIMS contains information including the dates of collection of specimens, the location of specimens, the tests ordered by the Clinician, clinical information provided by clinicians and pathology results;

  3. Ms M, was employed as a Technical Assistant in Specimen Reception (Technical Assistant) at one of the three laboratories over which Ms Stojic had managerial oversight. As a Technical Assistant Ms M’s role included entering patient data in LIMS, entering the tests ordered by the clinician, packing of samples for further testing at a laboratory of the respondent or another laboratory, sending out reports to the requesting clinician, faxing reports and giving out verbal results to a clinician in response to requests;

  4. there are 18 Technical Assistants employed at the laboratory where Ms M worked;

  5. to perform their functions and duties, a Technical Assistant needs to have access to LIMS the whole day they're working. Ms Stojic estimated that in a 24-hour period, a Technical Assistant would deal with 1000 samples and do data entry into LIMS for 200 or more samples in a single shift. This did not include access to LIMS to deal with result requests, which happen multiple times a day. Ms Stojic estimated a single Technical Assistant would access hundreds of LIMS records every time they worked;

  6. access to LIMS is via a secure login and is digitally recorded. Staff authorised to access the LIMS are issued a username and password and before being given access, all staff are required to sign a Privacy Undertaking;

  7. access to the LIMS in the Central Specimen reception at the laboratory in question is by using one of the computers located in that area. The computers are called ‘kiosk computers’ as they are not individually allocated to a particular staff member. When a staff member logs into a computer using their personal log-in they are required to agree to the on-screen conditions of access, which Ms Stojic said contained a specific reference to the ‘misuse of information’. LIMS does not require a reason for access to be given. In the absence of a complaint, this makes it very difficult to detect an inappropriate instance of access;

  8. all staff are trained to log out of LIMS if they need to leave the computer for any reason. LIMS also automatically times out after 5 minutes or so;

  9. Managers supervise Technical Assistants through undertaking checks on data entries, observing, answering questions and general training. However, it is not possible to have oversight of and/or to approve every access a Technical Assistant has to patient records. To do so would place an unreasonable burden on supervisors and significantly interfere with the performance of Technical Assistants;

  10. it is not practical to place a password or other restriction on individual patient records. To perform their functions effectively, Technical Assistants require full, unrestricted access to all LIMS records. Implementing passwords or other restrictions on individual records would require every Technical Assistant to be aware of the patient password, to be able to access that patient’s record as part of their employment. This could create particular difficulties and risks in an emergency situation, as well as interfere with the efficient performance of functions and provisions of health services by the respondent;

  11. to require staff to declare a reason for accessing LIMS and/or match access to a request for patient information would be costly and introduce inefficiencies in the provision of health services, which already take place in an environment of limited resources;

  12. to the knowledge of Ms Stojic, there has been no other incident of inappropriate access of LIMS at the three laboratories over which she has management responsibility; and

  13. following the incident involving Ms M, Ms Stojic placed posters around the laboratory and sent an email to all Technical Assistants reminding them of privacy obligations, including not to access LIMS for personal use. Ms Stojic also said she had recently introduced a practice of recording all requests for results on LIMS in a phone log, which can be reviewed to ascertain the basis on which access to LIMS was made. This practice having been incorporated into the respondent’s ‘Policy – Release of Pathology Results’ at 5.1.4.

  1. In her oral evidence, Ms Stojic confirmed the evidence she gave in her statement.

Consideration

  1. It is convenient to first deal with the applicant’s contention that the respondent is vicariously liable for Ms M’s unauthorised access, use and alleged disclosure of her health information.

  2. The concept of ‘vicarious liability’ arises from the law of agency.

  3. In Director General, Department of Education and Training v MT [2006] NSWCA 270, at [16], the Court of Appeal (per Spigelman CJ with IPP JA and Hunt AJA agreeing) said:

16 The law of agency is not an adequate or complete basis for institutional law. When determining whether conduct or knowledge or mental state of an individual employee or agent should be attributed to a corporation, an organic approach has been developed, which approach goes beyond the individualistic inclinations of the law of agency …

  1. On appeal before the Court of Appeal was a decision of the Appeal Panel of the Tribunal relating to an application for administrative review of conduct of the appellant, the Director General Department of Education and Training, that the respondent applicant had contended to be a contravention of the information protection principles in ss 12, 16, 17, 18 and 19 of the PPIP Act.

  2. At [38], after setting out the relevant provisions of the PPIP Act (including ss 52, 53 and 55 of the PPIP Act), the Court of Appeal observed:

38 As can be seen each of the relevant enforcement provisions i.e. s52(1), s55(2)(a), s53 and s55(1), turn on the “conduct” of the public sector agency. There is no specific statutory provision, of a kind sometimes found in regulatory statutes, that identifies, by way of clarification and often by way of extension, when conduct of an employee or agent of an organisation is to be attributed to the organisation. Absent any such provision, the issue in any specific case is one of interpretation of the legislative scheme, giving weight to its scope and purpose.

  1. After noting that the information protection principles in ss 12, 16, 17 and 18 of the PPIP Act were concerned with a public sector agency that ‘holds personal information’, and the meaning of that term in s 4(4) of the PPIP Act, at [41], the Court of Appeal held:

41 The legislative scheme is concerned with conduct of public sector agencies acting for their public purposes. The most relevant obligation with respect to unauthorised use of information held by an agency, of a character which has occurred in the present case namely use or disclosure for a non-agency purpose, is that imposed by s12(c), set out above, requiring the agency to take steps to “ensure … that the information is protected … against … unauthorised access, use … or disclosure”.

  1. At [45] and [46] the Court of Appeal held:

45 … [In] the Act under consideration, however, the focus of Parliamentary attention is upon a public agency acting in that capacity for public purposes. Where the agency has satisfied its obligation under s12, it was not, in my opinion, Parliament’s intention to expose every such agency to a form of absolute liability for the unauthorised private conduct of its employees or agents.

46 Nothing in the text or the scope and purpose of the legislative scheme suggests that Parliament intended to impose absolute regulatory liability. Indeed, s12(c) itself imposes an obligation only to adopt such “safeguards as are reasonable in the circumstances”.

  1. At [43], the Court of Appeal also held that where the ‘use’ or ‘disclosure’ of information was for a purpose extraneous to any purpose of the public sector agency, it should not be characterised as a ‘use’ or ‘disclosure’ by the agency or conduct of the agency, as it is not appropriate to adopt a rule of attribution that extends so far.

  2. The Tribunal has adopted the findings and reasoning of the Court of Appeal to conduct of a public sector agency under the HRIP Act: see EQH v Health Administration Corporation (No. 2) [2022] NSWCATAD 45 (EQH) at [77] – [81] and BZX v Western Sydney Local Health District; BZY v Western Sydney Local Health District; BZZ v Western Sydney Local Health District [2015] NSWCATAD 210 at [28].

  3. I agree with these decisions that the reasoning of the Court of Appeal applies to the HRIP Act, and in this regard I note that:

  1. the HPP 5, 9, 10 and 11 in Sch 1 of the HRIP Act are in similar terms to the information protection principles in ss 12, 16, 17 and 18 of the PPIP Act ;

  2. HPP 5, 9, 10 and 11 concern health information held by an organisation, which includes a public sector agency;

  3. the meaning of ‘health information held by an organisation’ in s 9 of the HRIP Act is in similar terms to s 4(4) of the PPIP Act;

  4. section 21 of the HRIP Act expressly provides that a review of conduct of a public sector agency concerning a person’s health information is a review made under Part 5 of the PPIP Act, and;

  5. the purpose and objects of the HRIP Act:

3   Purpose and objects of Act

(1)  The purpose of this Act is to promote fair and responsible handling of health information by—

(a)  protecting the privacy of an individual’s health information that is held in the public and private sectors, and

(b)  enabling individuals to gain access to their health information, and

(c)  providing an accessible framework for the resolution of complaints regarding the handling of health information.

(2)  The objects of this Act are—

(a)  to balance the public interest in protecting the privacy of health information with the public interest in the legitimate use of that information, and

(b)  to enhance the ability of individuals to be informed about their health care, and

(c) to promote the provision of quality health services.

Did Ms M access the applicant’s health information for her own purposes?

  1. The first issue for determination is whether Ms M’s access to the applicant’s health information held on the respondent’s LIM system was unauthorised and for her own purposes.

  2. Based on Ms M’s admissions, as recorded in the confidential first investigation conducted by the respondent, there can be no question that Ms M’s 7 September 2022 access to the applicant’s health information held on the respondent’s LIM system was unauthorised. Hence, I find that Ms M’s access to the applicant’s health information was unauthorised. That is, Ms M’s access was for a purpose extraneous to any purpose of the respondent.

Did the respondent take such security safeguards as are reasonable in the circumstance?

  1. The next question is whether the respondent had met its obligation to ensure that the health information it holds is protected, by taking such security safeguards as are reasonable in the circumstance, against unauthorised access, use and disclosure.

  2. While it is ultimately a question of fact as to whether an agency has taken ‘such security safeguards as are reasonable in the circumstances’, the following decisions of the Tribunal provide some guidance as to the approach the Tribunal taken to this issue.

  3. First, there is the decision of O’Conner DCJ in FH v Commissioner, New South Wales Department of Corrective Services [2003] NSWADT 72 at [41], where his Honour said:

41 … [It] is not, as I see it, necessary to show that the security policies and practices are perfect or ideal in every respect. Where there are shortcomings, they have to be weighed in the balance alongside those aspects that are satisfactory. The significance of the shortcomings need to be assessed by reference to the degree of risk that they carry for intrusion into the privacy of the persons whose data is secured, and the potential gravity of the consequences of any intrusion if it were to occur.

  1. In that case, the evidence was that the personal information in issue was information held by the respondent on its database containing all inmate records, be they past, or present, inmates. Access to the database was restricted. However, the database did not have the capacity to identify users who had accessed the offender information on the database. The evidence was that consideration had been given that issue and it was found that to make the system capable of logging users, it would require a total re-programme of the database and at a cost of millions of dollars.

  1. At [41], his Honour accepted that this was a shortcoming of the respondent’s database, but went on say that this could not, in his view: ‘reasonably justify the conclusion that viewed overall the security system lacks adequate safeguards’.

  2. In XW v Department of Education and Training [2009] NSWADT 73, at [91], the Tribunal noted:

91 Deputy President Handley noted in BE v University of Technology, Sydney [2008] NSWADT 139 that loss of correspondence is not of itself evidence that security safeguards are inadequate. I agree. The test in s12 is an objective one, and focuses on whether security safeguards are reasonable “in the circumstances”. …

  1. In ALZ v WorkCover NSW (No 2) [2014] NSWCATAD 122 at 31 the Tribunal noted:

31 The Respondent was required to take such security safeguards as were reasonable in the circumstances. The appropriate level of security required in relation to personal information will depend on both the nature of the information and the medium in which it is stored. In this matter the information concerns ALZ's psychiatric history and is therefore highly sensitive. The protection afforded to it should reflect that level of sensitivity.

  1. The health information held on the respondent’s LIM system is very sensitive. However, as explained in the evidence of Mr Ryan and Ms Stojic, it is information to which the Technical Assistants employed by the respondent must have access to, so that they can do their job of recording pathology test results, forwarding pathology test results to the relevant referring Clinician and otherwise responding to Clinician requests for pathology test results.

  2. In NS v Commissioner, Department of Corrective Services [2004] NSWADT 263 at [54], I considered that the ‘flag’ appearing each time an employee sought to access the respondent’s data base was a reasonable safeguard to prevent unauthorised access to personal information on that data base. That ‘flag’ included the following (see at [21]):

The information from the system now available to you is confidential and must NOT be disclosed to unauthorized persons under any circumstances, nor are you authorised to access such information for personal reasons…

  1. In EQH the Tribunal had before it the same NSW ‘Health Privacy Policy’, ‘Privacy Leaflet’, ‘Privacy Management Plan’, ‘Privacy Modules’ and ‘Code of Conduct’ that are before the Tribunal in this application. In issue in that application was the alleged unauthorised access, use and disclosure, by an employee of the respondent, concerning EQH’s health information held on the respondent’s Electronic medical records (EMR) data base. At [108], the Tribunal found that the abovementioned policies, leaflet, privacy management plan, training modules and code of conduct were, in the circumstances, reasonable security safeguards against loss, unauthorised access, use, modification, disclosure and against all other misuse of EQH’s health information.

  2. It is my understanding from the material before me, that the EMR and LIMS data bases are used by all NSW Health public sector agencies to record and store personal and health information of every individual for which a health service has been provided or is to be provided by any one of these agencies. And it is for this reason that there is a NSW Health wide code of conduct and NSW Health wide privacy policies, plans and training modules that are applicable to all employees of any NSW Health public sector agency. That is, the same security safeguards apply across all NSW Health public sector agencies. However, whether these security safeguards are reasonable with still depend on the circumstances of each alleged breach of a person’s personal information or health information held by the public sector agency in question.

  3. I make the following observations about the specific security safeguards the respondent has in place as referred to in the evidence of Mr Ryan and Ms Stojic:

  1. NSW Health Code of Conduct – the Code is nine pages in length and provided to all staff who are required to sign a copy of the Code to indicate that they have read the Code and understand it. Section 2 of the Code states that it applies to all employees of NSW Health, that it is the responsibility of all staff to comply with the Code and what happens if there is a breach of the Code, which ranges from counselling to termination. The specific standards all staff are to adhere to are set out in section 4 of the Code. Section 4.5 relates to maintain the security of confidential and/or sensitive official information. In summary that section provides that staff must:

  1. keep confidential all personal information and records;

  2. not use or release official information or records without proper authority;

  3. maintain the security of confidential and/or sensitive information;

  4. not disclose, use or take advantage of information obtained in the course of official duties

  1. the Privacy Manual for Health Information – the purpose of this Manual is stated to provide operational guidance to the legislative obligations imposed on public sector agencies by the HRIP Act and the PPIP Act, including those contained in HPP 5, 10 and 11. The Manual is comprehensive and available to all staff on the NSW Health dedicated privacy web page. At page 9.04 of the Manual, under the heading 9.2.3 ‘Computer systems and applications’ there is the following statement in bold:

‘NSW Health staff may only view, access, use and disclose personal health information when it is necessary for them to do so to carry out their work’;

  1. the Privacy Leaflet for staff - Appendix 6 to the Privacy Manual is a ‘Privacy Information Leaflet for Staff’ that contains the following statement in bold: ‘Staff may only access patient/employee personal or health information where this is required in the course of their employment’. That statement is repeated in bold on the last page of the Leaflet, under the heading ‘Important Points’. A further ‘Privacy Leaflet for Staff’ is included in the attachments to Mr Rayan’s statement. That Leaflet contains a summary of the HPPs in Sch 1 of the HRIP Act. Under the heading ‘Privacy principles’, there is the following statement: ‘Staff may access, use and disclose health information for the purpose of treatment and ongoing care’ or as otherwise specified in the Health Privacy Principles. It notes that the respondent’s clinical information systems are subject to the same strict privacy protections as paper records and, ‘improper access is a serious matter and may lead to disciplinary action or referral to police.’ In the box headed ‘Staff obligations’ there is a statement, in bold, stating that the HRIP Act provides that staff must not, other than in the course of their employment, intentionally disclose or use any health information about an individual to which the staff member has access. This is a reference to s 68(1) of the HRIP Act which creates an offence that is punishable by a fine or 2 years imprisonment;

  2. the Privacy Undertaking a person is required to sign on commencing employment with the respondent – the undertaking contains an initial statement that the person understands that, while he/she is employed by the respondent, he/she may have access to personal health information collected for purposes of client/patient care or for administrative, statistical, or other purposes. Immediately under that statement is the following:

I undertake not to knowingly access and personal health information unless such information is essential for me to properly and efficiently perform my (duties/contractual obligations).

In order to fulfil this undertaking, I will not divulge any personal health information regarding individual persons, except as allowed by the Health Privacy Principles.

  1. the Training modules – the training modules are interactive and based on real events;

  2. Communications - Use and Management of Misuse of NSW Health Communications Systems - the purpose of this document includes the provision of guidance and direction of mechanisms to minimise inappropriate use of NSW Health communication systems. This includes the use of an approved log-in screen being displayed each time an employee logs into a computer so that they are conversant with the conditions governing their use of the computer: see at 5.5 on page 11. That screen, as attached to the statement of Ms Stojic, states the following:

NSW Health Conditions of Access

These conditions of access should be read in conjunction with the NSW Ministry of Health Policy Directive PD2009_ 076, ‘Communications- Use and Management of Misuse of NSW Health Communications Systems’. Non compliance with the conditions of access set out in that Policy Directive could lead to the withdrawal of privileges and, in more serious cases, to disciplinary action. Access to NSW Health Communication Systems and Devices is restricted to authorised users only. Actual or attempted unauthorised use of NSW Health Communication Systems and Devices may result in criminal and/ or civil prosecution. It is the policy of all NSW Health agencies that computer surveillance occur on an ongoing, continuous basis. Computer resource are monitored by means of software or other equipment to protect the integrity of computing systems, workstations and programmes, and to guard against intentional and inadvertent access to inappropriate and/ or unlawful material and or inappropriate use. Records are maintained of computer usage including (but not limited) the sending an (sic) receipts of emails and the accessing of internet websites by individual users. ... Any unlawful use of NSW Health Communication Systems and Devices will be the subject of an internal review and may be notified to the Ministry of Health, NSW Police or the Independent Commission Against Corruption as required. In accepting entry I confirm that I have read and understood and will comply with the NSW Health PD2009_076 and these conditions of access.

  1. the respondent’s Privacy Management Annual Report – attached to the statement of Mr Ryan is the 2021-22 Annual Report. Part 1 of that report lists the compliance activities undertaken by the respondent during that year and, Part 2 relates to internal reviews. There are no internal reports listed in Part 2 for the 2021-2022 year. However, included in this Part is a reference to a decision of the Tribunal made during that year. The decision, I understand to be BQH. However, the summary of that applicant is very limited, with an emphasis on the Tribunal’s finding that the alleged HPP breaches by the respondent had not occurred.

  1. In my opinion, when objectively assessed, each of the abovementioned measures educate and remind all staff of their obligations, as an employee of the respondent, when collecting personal information and health information on behalf of the respondent and when accessing, using or disclosing such information held by the respondent in written or electronic form. Each of the abovementioned measures are readily accessible to all staff. They also clearly set out the consequences if a staff member is found to have engaged in conduct, during their employment, that is contrary to the collection, access, use or disclosure information protection principle or HPP concerning an individual’s personal or health information.

  2. Some measures are more direct than others. For example, the Privacy Leaflets are very short and direct. On the other hand, the Privacy Management Report is very limited in detail and the log-in screen is very generic. Nevertheless, I am satisfied the abovementioned measures, together with the requirement that each staff member has his or her own log-in id and password in accessing LIMS, and the respondent’s ability to undertake a re-active audit of a staff members access to LIMS security and safety measures designed to protect the personal and health information held on the respondent’s LIMS from loss, unauthorised access, use, or disclosure. The question is whether, when considered as a whole, these measures are also reasonable in the circumstances.

  3. The applicant has suggested some additional measures could be included such as flag, a password or other restriction on individual patient records.

  4. As noted above, it was Ms Stojic’s evidence that a flag or other restriction on individual patient records was not practical given the number of pathology tests and enquires for test results each day.

  5. I accept the evidence of Ms Stojic as she has had considerable experience in the day-to-day operation of the respondent, in particular the tasks undertaken by the Technical Assistants in the Specimen Reception area at the laboratory where Ms M worked and the many other laboratories of the respondent throughout NSW where Technical Assistants worked.

  6. Both Mr Ryan and Ms Stojic said that it was not possible for LIMS to be modified to do proactive audits. From the limited information before the Tribunal, in the absence of a complaint, it is difficult to see how, given the large volume of pathology samples and pathology test results entered and recorded on LIMS, a proactive audit might disclose an unauthorised access to LIMS by a staff member.

  7. When considered objectively and as a whole, notwithstanding the very sensitive nature of the personal and health information held on LIMS, I am satisfied that, the abovementioned security safeguard measures taken by the respondent, are reasonable in the circumstances to ensure that the personal and health information held on LIMS is protected against loss and unauthorised access, use and disclosure. In making this finding I have also had regard to the resources available to the respondent and the significant demands on its services every working day to provide quick and accurate pathology tests and test reports for treating clinicians and any other medical specialists who rely on these reports to provide the most appropriate treatment to the individuals to whom these tests and reports relate.

  8. Finally, in making this finding, I have not considered the recorded remarks of Ms M during the misconduct investigation that she knew she was wrong in accessing the applicant’s personal information, as in my opinion, this is of no relevance to the Sch 1 cl 5(1)(c) question as whether the respondent took such security safeguards as are reasonable in the circumstances. Ms M’s acknowledgement may of course be relevant to what disciplinary action the agency may take against her.

Did the respondent breach HPP 5

  1. As noted above I have found that:

  1. Ms M’s access to the applicant’s health information on LIMS was unauthorised and for her own personal purposes (namely, for a purpose extraneous to any purpose of the respondent), and

  2. the respondent had taken such security safeguards as are reasonable in the circumstances, to protect the applicant’s health information against unauthorised access, use and disclosure.

  1. Based on these findings, I find that the respondent has not breached the retention and security HPP in cl 5 of Sch 1 of the HRIP Act.

Did the respondent breach HPP 10 or HPP 11

  1. Based on the same findings in (1) and (2) above, I find that the respondent has not breached the use HPP or the disclosure HPP in cll 10 and 11 of Sch 1 of the HRIP Act.

  2. That is, any use or disclosure by Ms M of the applicant’s health information held by the respondent on LIMS was for a purpose extraneous to any purpose of the respondent, and therefore not conduct of the respondent: MT at [43].

  3. In making this finding I do not make a finding that Ms M did not use or disclose the health information of the applicant that she had accessed on 7 September 2022.

  4. In this regard, I found the applicant to be a truthful witness and that she gave evidence to the best of her recollection. I also accept that the conduct of Ms M has caused the applicant considerable stress and anxiety.

  5. It is evident from the material before the Tribunal that Ms M’s access to the applicant’s health information may not have been an isolated incident of unauthorised access to health information on LIMS as there is a record of her having previously access the health record of the applicant’s son. However, as noted above, Ms M resigned her position shortly after the respondent questioned her about these earlier incidents of possible unauthorised access.

  6. The Tribunal does not have any jurisdiction to review disciplinary action a public sector agency takes against an employee who, without authority, accesses, uses or discloses personal information held by that agency. Nor does the Tribunal have any jurisdiction to commence criminal proceedings under s 68 of the HRIP Act.

Conclusions and orders

  1. For the reasons set out above, in reviewing the conduct the subject of the applicant’s internal review application, I have found that the respondent did not engage in conduct, as alleged by the applicant, that contravened the retention and security HPP in cl 5 of Sch 1 of the HRIP Act, the use HPP in cl 10 of Sch 1 of the HRIP Act, or the disclosure HPP in cl 11 of Sch 1 of the HRIP Act that applied to it concerning health information it held about her.

  2. Based on my findings, the appropriate decision (order) is not to take any action on the conduct of the respondent the subject of review (the matter): PPIP Act s 55(2).

  3. As noted under the heading ‘Non- disclosure/publication orders’, I have made a number of orders under s 64(1) of the NCAT Act, which should be included in the orders made.

  4. Accordingly, I make the following orders:

  1. The Tribunal takes no further action on the administrative review application before it.

  2. Pursuant to s 64(1)(a) of the Civil and Administrative Tribunal Act 2013 (NSW), the disclosure of the name of the applicant, the applicant’s child and the name of the former employee of the respondent named in the material filed by the parties is prohibited.

  3. Pursuant to s 64(1)(d) of the Civil and Administrative Tribunal Act 2013 (NSW), the disclosure to the applicant of the evidence in; (a) Attachment Conf-MR-1 to the statement of Mathew Ryan dated 6 July 2023, and (b) the documents provided to the Tribunal in confidence, by the respondent, on 10 November 2023 in accordance with the order made on 12 October 2024; is prohibited.

  4. Pursuant to s 64(1)(c) of the Civil and Administrative Tribunal Act 2013 (NSW), the publication of the matters contained in; (a) Attachment Conf-MR-1 to the statement of Mathew Ryan dated 6 July 2023, and (b) the documents provided to the Tribunal in confidence, by the respondent, on 10 November 2023 in accordance with the order made on 12 October 2024; is prohibited.

**********

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.


Registrar

Decision last updated: 27 June 2024

Actions
Download as PDF Download as Word Document
Cases Citing This Decision

0