FZP v Sydney Children's Hospitals Network

Civil and Administrative Tribunal

New South Wales

• Amendment notes

Medium Neutral Citation:	FZP v Sydney Children’s Hospitals Network [2025] NSWCATAD 144
Hearing dates:	21 March 2025
Date of orders:	18 June 2025
Decision date:	18 June 2025
Jurisdiction:	Administrative and Equal Opportunity Division
Before:	J Sullivan, Senior Member
Decision:	(1)   The name of the Respondent is corrected from “Sydney Children’s Hospital Network” to “Sydney Children’s Hospitals Network”. (2)   The Respondent is to provide an unreserved formal written apology to the Applicant addressing and apologising for the Respondent’s breach of HPP 5(1)(c) in respect of the Applicant’s health information and for all distress caused to the Applicant as a result of that breach. (3)   The Respondent is to pay the Applicant $6,000 in damages for the above breach. (4)   Orders 2 and 3 are to be complied with within 30 days of the date of these orders. (5)   The Respondent, as soon as practicable, must review, update and monitor its procedures so that disclosures of health information for research purposes without consent: (a)   comply with approved security protocols for the method of sending identifiable health information; (b)   clearly reference the research project and applicable waiver of consent; and (c)   include warnings as to confidentiality and limitations on use. (6)   The publication of these reasons is deferred for a period of 28 days after the date of these orders, or such later date ordered by the Tribunal. (7) The parties have 14 days from the date of these orders to file an application for any further confidentiality orders under s 64 of the Civil and Administrative Tribunal Act 2013 (NSW), which should comply with par 251 of these reasons.
Catchwords:	PRIVACY –– disclosure of health information – exclusion for research under HPP 11(1)(f) of the Health Records and Information Privacy Act 2002 (NSW) – application of the Statutory Guidelines on Research – consideration of HPP 5, HPP 10, HPP 14 – orders and award of damages for breach of HPP 5(1)(c)
Legislation Cited:	Administrative Decisions Review Act 1997 (NSW) Civil and Administrative Tribunal Act 2013 (NSW) Health Records Act 2001 (Vic) Health Records and Information Privacy Act 2002 (NSW) Interpretation Act 1987 (NSW) Privacy and Personal Information Protection Act 1998 (NSW)
Cases Cited:	AIN v Medical Council of New South Wales [2017] NSWCATAP 23 Altaranesi v Administrative Decisions Tribunal [2012] NSWCA 19 ALZ v Workcover NSW [2014] NSWCATAD 49 ALZ v WorkCover NSW (No 2) [2014] NSWCATAD 122 Antegra Pty Ltd v Chief Commissioner of State Revenue [2021] NSWSC 107 AOZ v Rail Corporation NSW (No 2) [2015] NSWCATAP 179 AQK v Commissioner of Police, NSW Police Force [2014] NSWCATAD 55 BE v University of Technology, Sydney [2008] NSWADT 139 BKM v Sydney Local Health District [2015] NSWCATAD 87 BYW v Commissioner of Police, NSW Police Force [2015] NSWCATAP 270 CHY v Family and Community Services [2018] NSWCATAD 84 CJU v SafeWork NSW [2018] NSWCATAD 300 CLT v Department of Education and Communities [2016] NSWCATAD 98 CRE v Blacktown City Council [2017] NSWCATAD 285 DQF v Secretary, Department of Communities and Justice [2021] NSWCATAD 351 EHG v Commissioner of Police [2021] NSWCATAD 54 EOK v Northern Beaches Council [2021] NSWCATAD 297 FVR and FWA v Department of Education [2025] NSWCATAD 43 Insurance and Care NSW v FMM [2024] NSWCATAP 43 Jurecek v Director, Transport Safety Victoria [2016] VSC 285 KF v Parramatta Children’s Court [2008] NSWSC 1131 KP v Narrandera Shire Council [2011] NSWADTAP 15 Nasr v State of New South Wales [2007] NSWCA 101 NS v Commissioner, Department of Corrective Services [2004] NSWADT 263 Perry Properties Pty Ltd v Chief Commissioner of State Revenue [2013] NSWCA 274 Perry Properties Pty Ltd v Chief Commissioner of State Revenue [2017] NSWCATAD 235 QB v Greater Southern Area Health Service [2011] NSWADT 90 Sea Shepherd Australia Ltd v Commissioner of Taxation (2013) 212 FCR 252 Tom and Bill Waterhouse Pty Ltd v Facing New South Wales [2008] NSWSC 1013 Treasurer of Victoria v Tabcorp Holdings Ltd [2014] VSCA 143 XW v Department of Education and Training [2009] NSWADT 73
Texts Cited:	Nil
Category:	Principal judgment
Parties:	FZP (Applicant) Sydney Children’s Hospitals Network (Respondent) Privacy Commissioner (Intervenor)
Representation:	Counsel: D Birch (Respondent) R Harvey (Privacy Commissioner) Solicitors: Family member, as agent (Applicant) Crown Solicitor (Respondent) Information and Privacy Commission (Intervenor)
File Number(s):	2024/00316131
Publication restriction:	(1) Pursuant to s 64(1)(a) of the Civil and Administrative Tribunal Act 2013 (NSW), publication or broadcast of the name of the Applicant is prohibited. Note: A reference to the name of a person includes a reference to any information, picture or other material that identifies the person or is likely to lead to the identification of the person. (2) See orders for deferral of publication date

REASONS FOR DECISION

Background

1. The Applicant’s name has been anonymised and the pseudonym “FPZ” assigned to ensure his privacy is protected. His mother represented him (as agent), so her name is not disclosed either.

2. This is an administrative review of conduct of the Sydney Children’s Hospitals Network (“SCHN” or “Respondent”), under the Health Records and Information Privacy Act 2002 (NSW) (“HRIP Act”) that was the subject of an application for internal review (“IR Application”) under s 53 of the Privacy and Personal Information Protection Act 1998 (NSW) (“PPIP Act”).

3. SCHN is a “public sector agency” and an “organisation” for the purposes of the HRIP Act. It must therefore comply with the HRIP Act, including the health privacy principles in Schedule 1 of that Act (“HPPs”). (For ease of reading, clauses of Schedule 1 of the HRIP Act are referenced to the relevant HPP.)

4. The “conduct” involved an email sent by a doctor at SCHN containing the Applicant’s health information in an attached spreadsheet. It was sent to a research institute in Victoria without the Applicant’s knowledge or consent. The Applicant had formerly been a patient of a hospital which formed part of SCHN. The information included on the spreadsheet was not de-identified and included the Applicant’s clinical diagnosis of mitochondrial disease.

5. The Applicant was unaware until May 2023 that his health information had been shared.

6. The internal review that establishes the scope of these proceedings was conducted by an external consultancy privacy firm (IIS Partners), which found that there had been a breach of HPP 5(1)(c), but no breach of HPP 11. That decision, and its recommendations, is discussed further below.

The issues considered in these proceedings

7. Central to this case is the tension between an individual’s right to privacy, and the conduct of research which can, in the limited circumstances prescribed by HPP 11(1)(f) of the HRIP Act, permit a person’s (identifiable) health information to be sent to another person without either their knowledge or consent.

8. This is because, at the time the email was sent, a national multi-site research project was being conducted, led by a children’s research institute in Melbourne (“MCRI”) and including SCHN.

9. The substantive questions considered in these reasons include:

1. Are the following HPPs applicable and, if so, did SCHN breach any of them?

1. HPP 5 (Retention and data security)

2. HPP 10 (Limits on use of health information);

3. HPP 11 (Limits on disclosure of health information); and

4. HPP 14 (Transborder data flows and data flow to Commonwealth agencies).

2. If there was a breach of the HPPs, what orders should the Tribunal make?

Summary of this Decision

10. On the substantive matters, I have found that:

1. both HPP 14 and HPP 11 must be satisfied where they apply;

2. SCHN did not breach HPP 11, because the requirements of the research exemption in HPP 11(1)(f) were satisfied;

3. HPP 10 did not apply, because there was no separate use (or, if there was, the research exemption in HPP 10(1)(f) applied);

4. SCHN did not breach HPP 14, because SCHN reasonably believed that MCRI was subject to laws that were substantially similar to the HPPs;

5. SCHN breached HPP 5(1)(c) because by sending the email:

1. with an unencrypted spreadsheet with no password protection;

2. without identifying the research project, and

3. without any other warnings as to the sensitive nature of the information or limitations on its use

it did not ensure that the information was protected by taking such security safeguards as were reasonable in the circumstances against loss, unauthorised access, use, modification or disclosure or against all other misuse.

11. I have made orders requiring a written apology by SCHN, a review of its procedures, and awarded damages to the Applicant of $6,000.

12. In respect of other matters raised in the submissions, I have found that:

1. SCHN was permitted to resile from the IR Decision and to argue new grounds in these proceedings as the conduct the subject of the internal review application was unchanged;

2. the scope of this review is limited to the conduct of SCHN that is asserted to be in breach of an HPP of which the Applicant is aggrieved; and

3. the outsourcing of the internal review to IIS Partners was permitted by s 53(4) of the PPIP Act.

Materials filed and key submissions

13. The materials and submissions before the Tribunal were extensive and, in some cases, repetitive. Facts required to be determined are as found below, with context included where relevant. Evidence relating to facts outside the scope of these proceedings are either briefly addressed by way of observation, or not dealt with in these reasons.

The Applicant

14. The Applicant relied on:

1. his application that commenced these proceedings, filed on 26 August 2024 (A1);

2. evidence and submissions filed on 11 November 2024 (A2);

3. further evidence and submissions in reply filed on 1 March 2025 (A3);

4. a further bundle filed on 17 March 2025 including a report from a Clinical Psychologist, Mr Borenstein, and additional evidence of costs for legal services and psychology services in support of the claim for damages (A4); and

5. an updated version of A4, incorporating additional legal costs, as amended on 20 March 2025 and handed up at the hearing (also provided subsequently by email) (A5).

15. The Applicant says:

1. the sending of the email was a disclosure in breach of the HRIP Act, has disrespected him, and has caused him and his family great distress;

2. there has been no denial of the disclosure, but he has not received a “valid legal and ethical reason” as to how it was permitted, and under what authority; and

3. the way the complaint and subsequent litigation has been managed by SCHN, and their failure to acknowledge and apologise, has left the Applicant and his family severely traumatised, with an overwhelming and irreversible impact.

16. He seeks a range of remedies, including damages of $40,000 (the maximum amount that can be ordered under the HRIP Act).

17. The Applicant’s Opening Statement included in the materials filed said, inter alia: ^[1]

“I.. am living with a debilitating genetic illness resulting in multiple disabilities and have witnessed the passing of my [sibling] from the same genetic illness. I agree that the sharing of information for research purposes can aid our understanding of illnesses (where de-identification is normal practice): it can help seek better management strategies, improve quality of life and potentially find a cure (and there is nothing I want more than all these things).

HOWEVER: There are numerous legal and ethical requirements in place at all levels of medical research governance that provides protection for patients’ privacy. The message should be clear and understood by researchers, that while participants’ medical information is valuable to them, so is the participant’s basic human right to respect and privacy valuable to us, and for many, this constitutes our remaining dignity.”

SCHN

18. SCHN relied on:

1. documents required by s 58 of the Administrative Decisions Review Act 1997 (NSW) (ADR Act) filed on 14 October 2024 (R1);

2. further documents filed on 19 December 2024 (R2);

3. submissions filed on 19 December 2024 (R3);

4. an affidavit of Nadine Ghassibe sworn 16 December 2024 and filed on 19 December 2024 (R4);

5. documents tendered at the hearing and accepted into evidence, being a letter dated 23 November 2019 from the Chair of the Melbourne Health Human Research Ethics Committee (“MHHREC”) to SCHN (R5): and Study Protocol V14 dated 24 September 2019, minus attachments (R6).

19. SCHN submits that the Tribunal should depart from the findings made in the IR Decision and find that:

1. there has been no breach of HPP 5;

2. HPP 11 has no application to its provision of information to MCRI, and there has been no breach of HPP 14, which is the relevant HPP that would regulate the provision of information to MCRI;

3. In any event, HPP 11 was not breached as the research exemption in HPP 11(1)(f) applied;

4. SCHN’s provision of health information to a third party is a disclosure that does not also involve a “use” by SCHN that is regulated by HPP 10; and

5. no further action should be taken on the matter.

Privacy Commissioner as intervenor

20. The Privacy Commissioner filed submissions on 19 February 2025 (PC1) and provided oral submissions at the hearing. The Privacy Commissioner has a right to appear and be heard under s 55(6) of the PPIP Act, and in accordance with the Tribunal’s orders dated 16 September 2024 and by variation on 21 January 2025.

21. The Commissioner’s submissions were confined to assisting the Tribunal with four issues:

1. The requirements of HPP 11(1)(f) and the application of the Commissioner’s “Statutory Guidelines on Research” (issued under s 64 of the HRIP Act);

2. The requirements of HPP 14 when health information is transferred outside of New South Wales;

3. The proper interaction between HPP 11(1)(f) and HPP 14; and

4. The requirements of s 53(4) of the PPIP Act when an internal review is conducted by a third party.

Relevant facts – context and conduct

22. The facts relevant to the conduct of SCHN in respect of the email that was sent, and the context in which that occurred, are set out below.

23. The Applicant was born after 1 January 1987. He had previously attended the Prince of Wales Children’s Hospital in Randwick. SCHN includes that hospital, and also the Children’s Hospital Westmead. SCHN held information on its patient records relating to the Applicant which included details of his clinical diagnosis of mitochondrial disease.

The Research Project and its approval by the MH HREC

24. On 9 January 2017, the MH HREC granted an application by MCRI for ethics approval for a multi-year, multi-site research project named “Australian Genomics Health Alliance: Preparing Australia for Genomic Medicine” (“Research Project”). This approval was registered with the reference HREC/16/MH/251. ^[2]

    2. R3, (page) 28

25. MCRI led and was the principal administrator of the Research Project. MCRI had applied for ethics approval from the MH HREC for the Research Project for multiple hospitals and laboratories across Australia as part of the National Health and Medical Research Council’s (NHMRC) NMA Scheme. ^[3] The NMA Scheme was the National Mutual Acceptance of Science and Ethical Review for Multi-Centre Human Research Projects Conducted in Public Health Organisations. It established the requirement for only a single ethics approval for all participants, avoiding multiple HREC approvals being sought by each participant organisation across Australia.

    3. R1, 152

26. The MH HREC was certified by the NHMRC to grant approval under the NMA Scheme. As stated in its Terms of Reference:

“The Melbourne Health HREC has been certified by the National Certification Scheme of Institutional Process related to the Ethical Review of Multi-centre Human Research throughout Australia.” ^[4]

4. R3, 23

27. The Research Project continued until around 2022, and the initial ethics approval was subject to ongoing amendment. This led to further MH HREC approvals throughout the period of the Research Project, each time resulting in the issue of an updated approved Study Protocol, and a multitude of supporting documents. The Tribunal was provided with the following versions of the updated “Study Protocols” (minus attachments) approved for the Research Project:

1. Study Protocol V14 dated 24 September 2019 ^[5] and a covering approval letter dated 23 November 2019 ^[6] ;

2. Study Protocol V17 dated 9 November 2020 ^[7] ; and

3. Study Protocol V18 1 April 2021 ^[8] .

   5. R6, 1-118

   6. R5, 1-2

   7. R2, 11-142

   8. R2, 241-373

28. By way of example, the approval letter sent on 23 November 2019 by the Chair of the MH HREC to the CEO of MCRI ^[9] listed forty “Approved Documents”, including Study Protocol V14. It said (extract, my emphasis):

“I am pleased to advise that the above project has received ethical approval from the Melbourne Health Research Ethics Committee (HREC). The HREC confirms that your proposal meets the requirements of the National Statement on Ethical Conduct in Human Research (2007). This HREC is organised and operates in accordance with the National Health and Medical Research Council’s (NHRMC) National Statement on Ethical Conduct in Human Research (2007), and all subsequent updates, and in accordance with the Note for Guidance on Good Clinical Practice (CPMP/ICH/135/95), the Health Privacy Principles described in the Health Records Act 2001 (Vic) and Section 95A of the Privacy Act 1998 (and subsequent Guidelines).”

About the research

29. The Research Project was described as follows:

“This study will examine the feasibility and value of genomic testing in clinical practice, along with providing research pathways for further investigation of undiagnosed cases.” ^[10]

10. R6, 7

30. The Research Project included disease “flagships”, broadly defined as Rare Disease and Cancer. Within those flagships there were a number of projects focussed on particular conditions. ^[11] One of those was “Clinical Flagship: Mitochondrial Diseases”. ^[12]

    11. R6, 7

    12. R6, 2 and Section 6

31. The Protocol for the Research Project, at Section 4.5 of the Study Protocol (with wording consistent in the various versions) ^[13] :

    13. R6, 19

1. included a retrospective review of a secondary cohort population (i.e. not current patients in the “main” study population), for which historical data existing on hospital or laboratory records could be collected without consent (my emphasis in italics below):

“… The data will … provide sound baseline comparator data to assess the additional diagnostic yield and clinical utility of genomic testing in different disease areas.

…

“Participant group: The cohort of patients will have been assessed for diagnostic purposes either as inpatients or outpatients at the hospitals covered by the current multi-site research ethics Protocol or have had genetic testing through laboratory diagnostic services associated with the study. This retrospective review will capture data from patients presenting during the study period, 1^st January 2016 through to December 2020, or the end of the study. Data will be collected for a maximum of 550 paediatric and adult patients per flagship.

Recruitment and consent: Consent will not be sought for this retrospective review of patient records. All collected data will be de-identified and patient confidentiality respected. Therefore, no risks to patients are anticipated. This strategy is consistent with single-site clinical audits which do not require consent and are typically LNR ethics applications.

Data storage and analysis: The abovementioned patient data will be extracted from the medical record of existing hospital systems or diagnostic laboratories… the data will be de-identified and stored within the secure [name] database or other suitable site-specific database where security standards are met (password-protected computer, limited to approved investigators)…

Disease area specific exception

Mitochondrial Disease – Participant group: This retrospective review will capture data from patients born during the study period, 1st January 1987 through to December 2020, or the end of the study.”

SCHN was involved in the Research Project

32. The documents before the Tribunal listed the principal investigators for each site, which included The Children’s Hospital at Westmead and Sydney Children’s Hospital, Randwick (both part of SCHN). SCHN was a member of the Australian Genomic Health Alliance (“AGHA”). The AGHA was a collaboration of more than 50 partners with expertise across all areas of genomics committed to building evidence to facilitate the integration of genomic sequencing into clinical practice. The AGHA, led by MCRI, conducted the Research Project. ^[14]

    14. R6, 7

33. As required by the NHMRC, MCRI (as the Administrating Institution) and each “Participating Institution” in the Research Project (which included SCHN) entered into a Multi-Institutional Agreement in 2016. ^[15] Under clause 2 (“Conduct of the Project”) each party agreed, inter alia:

“(k) to comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles under that Act in the use, collection, storage and security or disclosure or any personal and/or health information collected or used during the Project:

…

(t) to comply with any applicable statues [sic], regulations, by-laws and requirements of the Commonwealth and any State, Territory or local authority.”

15. R1, Tab 4

34. A Secondary Funding Agreement regarding the Research Project signed in July 2016 ^[16] named Dr X of SCHN as the NSW state lead person for the Mitochondrial Disorders flagship of the Research Project and the relevant personnel from MCRI.

    16. R1, 196; it also referred to funding from the Australian Mitochondrial Diseases Foundation (Mito Foundation) for the Mitochondrial Disorders flagship.

35. SCHN entered into a further “Head Research Collaboration Agreement” with MCRI on 25 January 2017, governing MCRI and SCHN collaborative research projects. ^[17] The Children’s Hospital at Westmead (CHW) was an authorised participating site for the Research Project. ^[18]

    17. R1, 205

    18. See confirmation 3 March 2017 at R1, 227

The email exchanges

Email 1 – the request from MCRI

36. On 13 March 2020, a doctor who was a principal investigator of the Research Project at MCRI (“Dr PI”) sent an email (copied to their colleague) titled “mitochondrial epidemiology study” to two doctors at SCHN (Dr X and Dr Y). It read (my emphasis):

“Dear [Dr X and Dr Y]

… I thought I’d send a reminder of our list of paediatric onset mitochondrial patients born since 1987 in NSW. So far we have 176.

For now we would like you to help identify any patients we are missing if you can. (We are most likely to be missing ones who didn’t have diagnostic biopsies/have molecular diagnoses not established through Melbourne).

Later we will prevail upon you to help us fill in gaps in the data (a lot of this will be related to survival).

Feel free to share with your teams and if there is anyone else (eg other centres or departments) you think we should ask directly for input, please let me know).” ^[19]

19. R1, 236

37. The reference to “patients born since 1987” aligned with the reference above at Section 4.5 of the Study Protocol, viz:

“Mitochondrial Disease – Participant group: This retrospective review will capture data from patients born during the study period, 1st January 1987 through to December 2020, or the end of the study.”

Email 2 – suggested inclusion of a spreadsheet

38. Dr PI’s colleague at MCRI “replied all” saying:

“Hi [Dr PI]

I think it may be easier for [Dr X and Dr Y] if you send names as a cut down XL worksheet with existing columns for dob, dod (if known), age at presentation, gene, diagnosis to make it a bit easier to scan, re-order, etc.

Cheers”

39. “dob” was a reference to date of birth. “dod” was a reference to date of death.

Email 3 – the MCRI Spreadsheet is provided

40. Dr PI then “replied all” by email with an attached spreadsheet, which said:

“Thanks [MCRI colleague]

Here it is. It would be much appreciated it you could add where possible.”

41. The attached spreadsheet was titled “NSW patients.xlxs”

42. One row related to the Applicant. MCRI had completed 9 of the columns with information it held relating to the Applicant, including his first and last name, postcode, date of birth, and sex. The remaining 3 empty columns were whether the patient was alive or deceased, the date of their last follow-up with the hospital, and the clinical manifestation. ^[20]

Email 4 – SCHN’s email reply with the attached Updated Spreadsheet

43. On 10 February 2021, Dr X from SCHN replied to the email from MCRI ^[21] , attaching a spreadsheet titled “NSW.patients.[Dr X’s first name]. 10.02.2021.xlsx (Updated Spreadsheet). ^[22]

    21. R1, 236

    22. R1, 237 (extract only)

44. Relevantly, the email from Dr X said:

“Please find attached the data for NSW patients. I have tried to fill in as much as details as possible.

- Data till 2020 December – I have entered the new data separately so that it is easy for [Dr PI] to insert to [their] master chart

- Highlighted in yellow – I have made corrections or entered new data

- Green – could not trace any records in track gene/power chart

- Red (six patients) Files in Randwick – I hope to access the files when I go to the clinic on 26/2/2021 & will be able to provide the data.

Please let me know if this is okay or if you need more details…”

45. In respect of the Applicant’s row:

1. SCHN had completed the 3 previously blank columns to include the details relevant to the Applicant, including the fact he was still alive and his clinical manifestation; and

2. the inserted information remained identifiable, because the Applicant’s name remained on the relevant row.

46. Neither the email nor the attachment sent by SCHN were stated to be password protected, otherwise encrypted, to relate to the Research Project or to contain confidential or sensitive information (although the email from MCRI attaching the original spreadsheet had contained a standard confidentiality footer ^[23] ).

    23. R1, 233

Discovery of the disclosure

47. On 19 May 2023, the Applicant’s mother discovered that the Applicant’s health information had been shared with MCRI. ^[24] She told the Tribunal that she had found this out when SCHN requested the Applicant’s consent for the provision of the information to MCRI (which had already occurred). No clear details of how this transpired were in evidence before me. The Applicant’s submissions said:

“I [mother], on May 19th, 2023, first became aware of the use/disclosure of our son’s… unconsented FULLY IDENTIFIED (name, DOB, postcode) sensitive (health and genetic) information to a third party for research purposes.” ^[25]

The “First Request”

48. The Applicant’s mother sent an email in May 2023, addressed and sent to the Chair and board members of SCHN, the NSW Privacy Commissioner, the NSW Information Commissioner, the CEO of SCHN, the Director of Medical Services and Clinical Governance of SCHN, the Director of Research of SCHN and the SCHN Complaints department, titled “Concerns regarding a Breach in Patient Confidentiality” (“First Request”). ^[26]

    26. A2, item 2, (page) 9

49. It said, inter alia:

“I am writing both as a consumer and distressed parent about recent concerns surrounding privacy breaches and the sharing of the personal details of my son… with a research institution outside of the SCHN, and NSW….

Although [Applicant] was a past patient at [Prince of Wales Children’s Hospital], receiving ‘diagnostic confirmation only’ genetic testing in 2007, he has not been part of any research project within the SCHN either then or since, nor has he signed any documentation to do so, and nor has he ever attended the Westmead genetics dept. And yet, I believe that his personal details have been shared with MCRI in Victoria.

…

Rectification can ONLY be achieved through removal of ALL unconsented patient details from the MCRI, apologies given to the families involved, patient consent then respectfully and legitimately obtained, and the correct disciplinary action applied to those involved. Only then can research attitudes be reminded of the actual need for patient respect, trust regained, and future participation guaranteed. I am also currently investigating my next steps forward to stop researchers disrespecting both the patient and their clinical relationships, and the current manipulation of ethics to extend research boundaries.”

50. The CEO of SCHN responded to the Applicant’s mother the following day, apologising for the distress experienced, and requesting authorisation from her son (the Applicant) for the “relevant team to progress this matter”. That authorisation was provided. ^[27]

    27. A2, item 2, 9-10

51. SCHN considered the substance of the First Request to relate to research ethics and not as an application for internal review under s 53 of the PPIP Act, and referred it to the SCHN HREC. On 24 May 2023, SCHN notified the Privacy Commissioner by email ^[28] that:

“SCHN already have teams involved in the review of these concerns including Research Ethics. At this stage a privacy formal internal review has not been initiated.”

28. A2, item 2, 81

52. The Chair of the SCHN HREC then wrote to the Applicant’s mother requesting further details, including “how you became aware” and “who informed you of this potential breach in privacy”. The response by the Applicant’s mother was: ^[29]

“I became aware of the breach concerning my son’s personal data being shared with the MCRI 2 weeks ago now. However, the relevancy of “how I became aware” does not add any benefit at all towards the resolution of the matter, except that we are extremely appreciative for the honesty and integrity of all those involved in trying to seek its rectification.

Whilst our intent is not to seek a trail of revenge nor retributive justice upon the SCHN, we are however, extremely eager to the see this breach reversed and with lessons learnt, appropriate new and improved SCHN systems in place, monitored to prevent any future failure. I expect that the removal of personally identified data would be inclusive of not only our son’s, but also any other unfortunate family that may have been caught up in this or similar breaches.”

29. A2, item 2, 15

53. On 16 August 2023, the CEO of SCHN wrote to the Applicant’s mother ^[30] saying, inter alia (my emphasis):

“We are sorry to hear that this matter has caused distress to you and your family. Thank you for your patience while a review was conducted into this matter. The Research Office at [SCHN] reviewed your concerns in accordance with the National Statement on Ethical Conduct in Human Research 2007 (updated 2018) and local and institutional policies.

It was found that [Dr PI] at MCRI (Melbourne) had received identifiable information regarding your son via an external diagnostic laboratory as part of an ethically approved national, multi-centre research project. This research project is titled “Australian Genomics Health Alliance: Preparing Australia for Genomic Medicine” and has ethics approval from the Melbourne Health Human Research Ethics Committee in Melbourne [Reference number: HREC/16/MH/251] for multiple Hospitals and laboratories across Australia as part of the National Health and Medical Research Council (NHMRC) National Mutual Acceptance Scheme. The ethics approval included a waiver of consent (considered under Australian Privacy Law) for the collection of retrospective data and review of patient records from relevant Hospitals. Under this Ethics Approval the Genetic Metabolic Disorders Service at the Children’s Hospital at Westmead was asked to confirm the last date the patient was seen at the Service and a three-word description of their clinical manifestation at that time. Accordingly, our review concluded that the Genetic Metabolic Disorders Service at the Children’s Hospital at Westmead did not breach your son’s privacy….”

30. A2, item 2, 17

54. Documents before the Tribunal ^[31] reveal that Dr PI from MCRI advised SCHN’s Research Office (inter alia) that:

    31. R1, 238-9

1. the information of the Applicant in the spreadsheets sent and received were disclosed (and collected) as part of the Research Project;

2. the information in the original spreadsheet was obtained by MCRI from an associated diagnostic laboratory in Victoria;

3. some of that information required verification, for example that the onset of disease symptoms occurred in childhood and thus the patient was eligible to be included in the Research Project cohort; and

4. the Applicant was included as part of the secondary (retrospective) cohort for the Research Project, as set out in the Study Protocol V18 01.04.2021 section 4.5 (see par 31 above).

Previous application to the Tribunal made and withdrawn

55. The Applicant’s submissions set out the chronology of events which led to confusion regarding the status of the First Request, because it had not been dealt with by SCHN as an application for internal review for the purpose of s 53 of the PPIP Act. ^[32] On 5 September 2023, the Applicant’s mother had been advised by the Privacy Commissioner ^[33] that, due to the manner in which it was dealt with by SCHN, the best course of action was to request a privacy internal review.

    32. A2 item 2, 3

    33. A2, item 2, 38

56. As this appeared inconsistent with previous advice, the Applicant’s mother requested clarification from the Privacy Commissioner.

57. On 20 September 2023, having received no response, the Applicant’s mother (on behalf of the Applicant) filed an application to the Tribunal for administrative review.

58. Following case conferences, and queries raised by SCHN’s legal representatives regarding the jurisdiction of the Tribunal, a mediation was held on 3 November 2023. It did not resolve the matter.

59. Upon receiving advice (or further advice) that the First Request was not an application for internal review that would form the basis for review by the Tribunal, the Applicant’s application was withdrawn on 26 February 2024. ^[34]

    34. R1, 154

The internal review application

60. On 10 May 2024, the Applicant’s mother (on behalf of the Applicant) sent a “formal application for internal review” to SCHN. ^[35] This is the relevant internal review application for the purpose of s 53 of the PPIP Act which informs the scope of these proceedings (“IR Application”). The relevant conduct the subject of the IR Application was the provision of the Applicant’s health information by SCHN to MCRI without his knowledge or consent, as I have set out above.

    35. R1, 1-147

61. The IR Application also complained of the delays and frustrations experienced by the Applicant because of the need to file a further “formal” internal review application (due to the confusion referenced above). That conduct was not stated or alleged to be in breach of any provision of the HRIP Act. Nonetheless, it underlies part of the Applicant’s claim in these proceedings for damages, which I address later in these reasons.

62. The IR Application asked that the internal review be undertaken by an independent third party.

The internal review decision

63. SCHN engaged IIS Partners to conduct the internal review. There is no dispute that IIS Partners had the expertise and capability to do so.

64. On 26 July 2024, IIS Partners completed their report and provided it to SCHN (“IR Decision”). On 29 July 2024 (mis-dated as 29 June 2024), SCHN sent the IR Decision to the Applicant via his mother.

65. The IR Decision concluded that:

1. there was no breach of HPP 11, because the requirements of the research exemption in HPP 11(1)(f) had been satisfied;

2. there had been a breach of HPP 5(1)(c) because the Applicant’s health information had been provided to MCRI via an email attachment that had not been encrypted, which was contrary to SCHN’s policies. It also noted that the emails did not specify that that the information was required for an HREC-approved research project, or contain any reference numbers or other information to confirm this was the case before the reply email was sent.

3. the reviewer did not agree with the Applicant’s characterisation that SCHN acted with ill intent or otherwise deliberately acted in a way to dismiss the complaint (First Request). Rather, the SCHN inadvertently failed to communicate clearly with the Applicant about the option for seeking a privacy internal review.

66. The IR Decision recommended that SCHN:

1. Apologise to the Applicant for breaching HPP 5 and failing to be clear regarding their complaints handling process;

2. Review and improve processes for SCHN staff regarding sharing and disclosure of health information in the context of research requests;

3. Review and improve processes for handling privacy complaints; and

4. Update the SCHN “Privacy and your child’s health information” webpage to accurately reflect how health information may be disclosed (particularly in respect of disclosure of health information for research purposes).

These proceedings

67. On 26 August 2024, the Applicant filed his application for review by the Tribunal. Under “Grounds for Application” ^[36] the Applicant said:

“Around 2019, my sensitive confidential (medical and genetic) information was accessed from SCHN health records, & shared UNCONSENTED/IDENTIFIED (name, DOB and postcode) with a Research Institute. SCHN continues to deny breaching privacy, although having NO AUTHORITY to do so (via my consent, law or a research protocol). I first became aware of the breach 22 May 2023, when raising concerns SCHN failed to follow correct ‘Complaint’ management processes, leading us to believe a formal review was completed so prematurely onto NCAT (& later having to withdraw). A formal review is now finally completed.”

Affidavit and oral testimony of Ms Ghassibe

68. The only witness who gave evidence at the hearing was Ms Ghassibe, the Health Information Services Manager with the SCHN Performance Unit. She is also the Privacy Contact Officer (PCO) for SCHN and deals with privacy complaints, applications for internal review, and privacy education and awareness for SCHN employees. She confirmed the contents of her affidavit (R4). At par [5] of that affidavit she stated “Where I depose to matters about which I have been informed by other people, I believe them to be true”.

69. The affidavit of Ms Ghassibe was directed to three matters.

Privacy controls in place at SCHN when providing information to third parties

70. In her affidavit Ms Ghassibe stated:

“6.   The SCHN has a number of privacy measures in place to prevent the unauthorised access to information that it provides to third parties, including:

a.   Training and educating staff about secure information sharing practices, including those discussed below at [9]-[12]; and

b.   Making available to staff the information communication technology (ICT) software and platforms that have completed the Privacy and Security Assurance Framework (PSAF) process at eHealth NSW, such as Microsoft Outlook, so that staff have resources with appropriate levels of privacy and security protections to refer to, us or share sensitive or confidential information.

7.   I have received confirmation from [Mr A], NSW Health eHealth Senior Product Owner Messaging Platform that emails sent to and by SCHN accounts utilise Microsoft Exchange. Microsoft Exchange makes use of “Transport Layer Security”, or TLS, a cryptographic communication protocol. TLS authenticates and encrypts the connection between email servers to prevent interception of an email while it is being transmitted and requires both email servers to support TLS-encryption (including other Microsoft Exchange servers). [Mr A] confirmed that TLS encryption would have been in pace prior to the emails between [Dr PI] and [Dr X] that I understand to be the subject of these proceedings.

8.   On 13 December 2024, I was informed by [name], a legal officer employed by MCRI, that MCRI uses TLS for email services.

9.   As both SCHN and MCRI utilise TLS, the transmission of the email from [Dr X] to [Dr PI] would have been encrypted, even if the attachment to the email had not been also encrypted.”

71. Although the Tribunal is not bound by the rules of evidence, it is noted that the evidence of the other persons referenced above was “hearsay”. There was no written confirmation in support of those statements from the persons she spoke to. The wording of “would have” versus “did”, and some wording in present tense in [8] and [9], raises some doubts. I observe, however, that MCRI did, in other documents before the Tribunal, confirm that the TLS system was in place at the time the email exchanges occurred. ^[37]

Training and education

72. At [10]-[11] of her affidavit, Ms Ghissabe described training and education measures in place which are designed for employees to be made aware of all applicable policies, procedures, manuals, guidance and applicable provisions of the PPIP Act and HRIP Act. I accept that there are such training programs in place.

Explanation for not encrypting the spreadsheet

73. At [16] – [18] of her affidavit, Ms Ghissabe said (my emphasis):

“16.   On 9 December 2024, Dr X informed the Director of Research, SCHN, that she thinks the reason why she did not encrypt the spreadsheet containing the applicant’s health information prior to attaching it to the email that she sent to MCRI was because:

a.   the spreadsheet provided by MCRI had not been encrypted;

b.   she was not asked by MCRI to encrypt the spreadsheet before sending it back; and

c.    in those circumstances, she considered there must have been some protection and inherent encryption embedded into the MCRI work email system that meant it was safe for her not to encrypt the spreadsheet attached to her email and she could not change the email settings as she did not have the administrator rights.

17.   Since [Dr X] sent the email to [Dr PI] in 2021, there have been some changes in how SCHN staff send files containing sensitive information. One of those changes is that the SCHN’s Health Information Unit and Release of Information teams have been able to increase staff uptake of Kiteworks to send files containing sensitive information. Kiteworks automatically encrypts emails and file attachments in transit and rest and addresses the risk that staff might inadvertently overlook encrypting file attachments. Alternatively, some third parties will provide SCHN staff with a secure file sharing link that to upload sensitive files instead of sending them by emails.

18.   At the time of deposing this affidavit, work is currently being undertaken to develop, in consultation with the ICT teams, a comprehensive Privacy Training plan for SCHN which would include confirming that attachments to emails which contain personal health information should be password protected or encrypted before they are sent outside NSW Health and how to add password protections or encrypt the attachments.”

74. “Kiteworks” was explained in her affidavit at [15] as “NSW Health’s secure file sharing platform which has been in place since 2018”.

75. Again, the statements above from Dr X are hearsay.

76. Further, there is nothing in the above evidence relating to the security systems which explains:

1. the relative level of security which each system provides (for example TLS only; TLS + encrypted attachment; TLS + password protected attachment; Kiteworks and variations regarding attachments); or

2. what confirmation should be received by SCHN from a requestor of de-identified information before responding; or

3. what titles should be given to SCHN’s communications or attachments to warn of their contents including de-identified patient data, or to include the HREC reference number (where relevant) for the relevant research project.

Cross-examination of Ms Ghassibe

77. The Applicant’s mother asked Ms Ghassibe about what role, as Privacy Officer, she played in respect of the “First Request”, and why it was not dealt with by her as an internal review application under s 53 of the PPIP Act.

78. Ms Ghassibe said that it was viewed as a matter for the Research Ethics Committee, and that she had been aware of it and provided some assistance to the review that was undertaken by that area, but was involved only to a limited extent and did not herself conduct any interviews.

Relevant facts – damages

79. In support of the Applicant’s claim for damages, the Applicant produced a statement in his own words, two medical reports, costs relating to those reports, and a list of legal costs that had been incurred in the preparation of the extensive submissions and legal analysis before the Tribunal presented by the Applicant’s mother as his agent in these proceedings. Supporting invoices were also in evidence.

80. To avoid duplication, I will refer to those materials later in the reasons.

Jurisdiction and task of the Tribunal

81. In these proceedings the Tribunal is exercising its administrative review jurisdiction. That jurisdiction is conferred (and limited) by s 9(1) of the ADR Act, s 30 of the Civil and Administrative Tribunal Act 2013 (NSW) (“NCAT Act”), s 21 of the HRIP Act, and s 55 of the PPIP Act.

82. The scope of these proceedings is limited because the Tribunal only has jurisdiction to review SCHN’s conduct “the subject of the application under section 53” of the PPIP Act. ^[38] And, under s 21 of the HRIP Act, SCHN’s “conduct” the subject of the review is the conduct that grounds an actual or alleged breach of an HPP:

    38. Department of Education and Training v GA (No 3) [2004] NSWADTAP 50, [7]; PC v University of New South Wales (GD) [2005] NSWADTAP 72, [20]-[21], [29].

21 Complaints against public sector agencies

(1) The following conduct by a public sector agency is conduct to which Part 5 (Review of certain conduct) of the PPIP Act applies:

(a)    the contravention of a Health Privacy Principle that applies to the agency,

(b)    the contravention of a health privacy code of practice that applies to the agency.

(2)    For that purpose, a reference in that Part:

(a)    to personal information is taken to include health information, and

(b)    to an information protection principle is taken to include a Health Privacy Principle, and

(c)    to a privacy code of practice is taken to include a health privacy code of practice.”

83. There is no relevant “health privacy code of practice” that requires consideration by the Tribunal in these proceedings.

84. The task of the Tribunal is to come to the “correct and preferable decision”, having regard to the relevant law and factual material. Section 63 of the ADR Act provides:

63 Determination of administrative review by Tribunal

(1) In determining an application for an administrative review under this Act of an administratively reviewable decision, the Tribunal is to decide what the correct and preferable decision is having regard to the material then before it, including the following:

(a) any relevant factual material,

(b) any applicable written or unwritten law.

(2) For this purpose, the Tribunal may exercise all of the functions that are conferred or imposed by any relevant legislation on the administrator who made the decision.

85. Consequently, in proceedings under s 55 of the PPIP Act, the administratively reviewable decision is, or at least includes, the alleged conduct of an administrator: ADR Act, s 7(2) and PPIP Act, s 55.

86. Section 55(1) of the PPIP Act allows a person to apply to the Tribunal for administrative review of the agency’s conduct in certain circumstances, including when that person is not satisfied with the findings of the internal review. Section 55(2) sets out the Tribunal’s powers on review. Those provisions are as follows:

55   Administrative review of conduct by Tribunal

(1) If a person who has made an application for internal review under section 53 is not satisfied with—

(a)  the findings of the review, or

(b)  the action taken by the public sector agency in relation to the application,

the person may apply to the Civil and Administrative Tribunal for an administrative review under the Administrative Decisions Review Act 1997 of the conduct that was the subject of the application under section 53.

….

(2)  On reviewing the conduct of the public sector agency concerned, the Tribunal may decide not to take any action on the matter, or it may make any one or more of the following orders—

(a)  subject to subsections (4) and (4A), an order requiring the public sector agency to pay to the applicant damages not exceeding $40,000 by way of compensation for any loss or damage suffered because of the conduct,

(b)  an order requiring the public sector agency to refrain from any conduct or action in contravention of an information protection principle or a privacy code of practice,

(c)  an order requiring the performance of an information protection principle or a privacy code of practice,

(d)  an order requiring personal information that has been disclosed to be corrected by the public sector agency,

(e)  an order requiring the public sector agency to take specified steps to remedy any loss or damage suffered by the applicant,

(f)  an order requiring the public sector agency not to disclose personal information contained in a public register,

(g)  such ancillary orders as the Tribunal thinks appropriate.

87. The IR Application was a valid application for internal review by the Applicant in respect of the conduct of SCHN in providing the Applicant’s health information to MCRI (in respect of which the Applicant was a “person aggrieved”).

88. There is no onus of proof in these proceedings. That means that neither the applicant nor the respondent carry a burden of proof to prove or disprove any fact: NS v Commissioner, Department of Corrective Services [2004] NSWADT 263 at [46]. The Tribunal must, however, determine the relevant facts. Those facts are to be found “on the balance of probabilities”. That is the civil standard, and it leaves room for some doubt. A finding of fact must be based, however, on probative evidence and statements made should be tested against all of the evidence before the Tribunal.

89. The Tribunal must also make a finding as to whether or not there has been a breach of an HPP, even if the evidence is uncertain. I see no reason for any distinction to be drawn between the breach of an IPP or an HPP. In respect of the PPIP Act, the Appeal Panel in KP v Narrandera Shire Council [2011] NSWADTAP 15 overturned a Tribunal decision to make no findings in a matter because of the uncertain state of evidence, stating (at [26] and [31]):

"Ordinarily, if a court or tribunal is left in a state of uncertainty in relation to a matter, then the issue will be decided against the party who bears the legal burden of proof. …

Given the nature of the review under the PPIP Act , and the absence of any provisions attributing onus to either party, if left in a state of uncertainty in relation to a fact in issue, that fact should be decided against the applicant"

90. This decision was subsequently affirmed in BYW v Commissioner of Police, NSW Police Force [2015] NSWCATAP 270 at [7] and FVR and FWA v Department of Education [2025] NSWCATAD 43 at [18].

The Statutory framework of the HRIP Act

91. The HRIP Act provides for the protection of the privacy of an individual’s health information in the public and private sectors, and for an individual’s access to, and complaints about access to, their health information. Section 3 provides:

3   Purpose and objects of Act

(1)  The purpose of this Act is to promote fair and responsible handling of health information by—

(a)  protecting the privacy of an individual’s health information that is held in the public and private sectors, and

(b)  enabling individuals to gain access to their health information, and

(c)  providing an accessible framework for the resolution of complaints regarding the handling of health information.

(2)  The objects of this Act are—

(a)  to balance the public interest in protecting the privacy of health information with the public interest in the legitimate use of that information, and

(b)  to enhance the ability of individuals to be informed about their health care, and

(c)  to promote the provision of quality health services.

92. Section 6 of the HRIP Act defines “health information” to mean:

(a) personal information that is information or an opinion about—

(i) the physical or mental health or a disability (at any time) of an individual, or

(ii) an individual’s express wishes about the future provision of health services to him or her, or

(iii) a health service provided, or to be provided, to an individual, or

(b) other personal information collected to provide, or in providing, a health service, …

93. Section 11 of the HRIP Act provides:

11   How this Act applies to organisations

(1)  This Act applies to every organisation that is a health service provider or that collects, holds or uses health information.

Note—

The term organisation means a public sector agency or a private sector person.

(2)  An organisation to whom or to which this Act applies is required to comply with the Health Privacy Principles and with any health privacy code of practice or provision of Part 4 that is applicable to the organisation.

(3)  An organisation must not do any thing, or engage in any practice, that contravenes a Health Privacy Principle or a health privacy code of practice or a provision of Part 4 in respect of which the organisation is required to comply.

Note—

The application of Health Privacy Principles and the provisions of Part 4 may be modified by health privacy codes of practice. See section 39.

The HPPs in the parties’ submissions

94. The 15 HPPs are central to the HRIP Act. The HPPs are legal obligations that describe what SCHN must do when it collects, holds, uses, discloses and/or transfers health information.

95. Although raised in the course of the parties’ submissions, I find that neither of HPP 4 nor HPP 9 are relevant to these proceedings. For the purpose of HPP 4, there was no relevant “collection” by SCHN in respect of any transfer of records between hospitals within its own network. For the purpose of HPP 9, I fail to see how there was any question over the accuracy or relevance of the information held.

96. The remaining HPPs to be considered are set out below.

97. HPP 5 relevantly provides:

5   Retention and security

(1)  An organisation that holds health information must ensure that—

…

(c)  the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and

Note—

Division 2 (Retention of health information) of Part 4 contains provisions applicable to private sector persons in connection with the matters dealt with in this clause.

(2)  An organisation is not required to comply with a requirement of this clause if—

(a)  the organisation is lawfully authorised or required not to comply with it, or

(b)  non-compliance is otherwise permitted (or is necessarily implied or reasonably contemplated) under an Act or any other law (including the State Records Act 1998).

(3)  An investigative agency is not required to comply with subclause (1) (a).

98. HPP 10, in respect of “use” of health information, relevantly provides:

10   Limits on use of health information

(1)  An organisation that holds health information must not use the information for a purpose (a secondary purpose) other than the purpose (the primary purpose) for which it was collected unless—

(a)  Consent

the individual to whom the information relates has consented to the use of the information for that secondary purpose, or

(b)  Direct relation

the secondary purpose is directly related to the primary purpose and the individual would reasonably expect the organisation to use the information for the secondary purpose, or

Note—

For example, if information is collected in order to provide a health service to the individual, the use of the information to provide a further health service to the individual is a secondary purpose directly related to the primary purpose.

…

(f)  Research

the use of the information for the secondary purpose is reasonably necessary for research, or the compilation or analysis of statistics, in the public interest and—

(i)  either—

(A)  that purpose cannot be served by the use of information that does not identify the individual or from which the individual’s identity cannot reasonably be ascertained and it is impracticable for the organisation to seek the consent of the individual for the use, or

(B)  reasonable steps are taken to de-identify the information, and

(ii)  if the information could reasonably be expected to identify individuals, the information is not published in a generally available publication, and

(iii)  the use of the information is in accordance with guidelines, if any, issued by the Privacy Commissioner for the purposes of this paragraph, or

…

99. HPP 11, in respect of “disclosure” of health information, relevantly provides:

11   Limits on disclosure of health information

(1)  An organisation that holds health information must not disclose the information for a purpose (a secondary purpose) other than the purpose (the primary purpose) for which it was collected unless—

(a)  Consent   

the individual to whom the information relates has consented to the disclosure of the information for that secondary purpose, or

(b)  Direct relation

the secondary purpose is directly related to the primary purpose and the individual would reasonably expect the organisation to disclose the information for the secondary purpose, or

Note—

For example, if information is collected in order to provide a health service to the individual, the disclosure of the information to provide a further health service to the individual is a secondary purpose directly related to the primary purpose.

…

(f)  Research

the disclosure of the information for the secondary purpose is reasonably necessary for research, or the compilation or analysis of statistics, in the public interest and—

(i)  either—

(A)  that purpose cannot be served by the disclosure of information that does not identify the individual or from which the individual’s identity cannot reasonably be ascertained and it is impracticable for the organisation to seek the consent of the individual for the disclosure, or

(B)  reasonable steps are taken to de-identify the information, and

(ii)  the information will not be published in a form that identifies particular individuals or from which an individual’s identity can reasonably be ascertained, and

(iii)  the disclosure of the information is in accordance with guidelines, if any, issued by the Privacy Commissioner for the purposes of this paragraph, or

…

100. The Commissioner has issued Statutory Guidelines on Research under s 64 of the HRIP Act. Section 64 states:

64 Guidelines by Privacy Commissioner

(1) The Privacy Commissioner may issue guidelines for or with respect to any matter for which guidelines may be issued under this Act. The Privacy Commissioner may from time to time amend or replace the guidelines.

(2) Guidelines issued by the Privacy Commissioner may apply, adopt or incorporate any publication as in force for the time being.

(3) The Minister may request the Privacy Commissioner to develop guidelines relating to any matter that the Minister considers should be the subject of guidelines.

(4) The procedure for the issuing of guidelines is as follows—

(a) the Privacy Commissioner is to prepare proposed guidelines in draft form and is to prepare an impact assessment statement for the proposed guidelines in accordance with such requirements as the Minister may from time to time determine,

(b) the draft guidelines and impact assessment statement are to be publicly exhibited for a period of at least 21 days,

(c) the Privacy Commissioner is to seek public comment on the draft guidelines during the period of public exhibition and public comment may be made during the period of the exhibition and for 21 days (or such longer period as the Privacy Commissioner may determine) after the end of that period,

(d) the Privacy Commissioner is to submit the draft guidelines to the Minister for approval together with a report by the Privacy Commissioner giving details of public comment received during the period allowed for public comment and the Privacy Commissioner’s response to it,

(e) the Privacy Commissioner is not to issue the draft guidelines as guidelines unless the Minister approves the guidelines.

(5) The procedure for the amendment or replacement of guidelines is the same as for the issuing of the guidelines unless the Minister otherwise directs in respect of a particular amendment.

101. The Statutory Guidelines on Research are contained in Part 2 of a document of the same name (“SGR Publication”). The introduction to the SGR Publication says:

“This publication outlines the requirements for the use and disclosure of health information for research and statistics. It has been prepared after public consultation. You should read it in conjunction with the HRIP Act and the Office of the Privacy Commissioner NSW ‘User Manual: Handbook to Health Privacy’. If you are from the public health system, you should also read it in conjunction with the NSW Health Department’s ‘Privacy Manual’.

Part 1 explains some of the issues you need to consider when using and disclosing health information for research or statistics. It also includes a checklist and examples to help you decide what you should do in different circumstances.

Part 2 contains the statutory guidelines on research. You must comply with these statutory guidelines on research if you are seeking to use or disclose health information relying on the ‘research exemption’ in HPP 10(1)(f) or 11(1)(f). These statutory guidelines on research are issued under section 64 of the HRIP Act.”

102. I will refer below in these reasons to the “Explanatory Notes” (introduction and Part 1) and the “Research Guidelines” (Part 2) contained in the SGR Publication.

103. HPP 14 provides (extracts):

14   Transborder data flows and data flow to Commonwealth agencies

An organisation must not transfer health information about an individual to any person or body who is in a jurisdiction outside New South Wales or to a Commonwealth agency unless—

(a)  the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract that effectively upholds principles for fair handling of the information that are substantially similar to the Health Privacy Principles, or

(b)  the individual consents to the transfer, or

(c)  the transfer is necessary for the performance of a contract between the individual and the organisation, or for the implementation of pre-contractual measures taken in response to the individual’s request, or

…

(g)  the organisation has taken reasonable steps to ensure that the information that it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the Health Privacy Principles, or

(h)  the transfer is permitted or required by an Act (including an Act of the Commonwealth) or any other law.

Preliminary matters

Scope of these proceedings

104. I agree with the submissions of SCHN ^[39] that the Tribunal does not have jurisdiction to consider or make any orders relating to other persons who may have been named on the Updated Spreadsheet. The Applicant is not a “person aggrieved” in respect of those persons, and such disclosure of their information does not prejudicially affect his own interests: Altaranesi v Administrative Decisions Tribunal [2012] NSWCA 19 at [52]. Nor are any facts in respect of those persons or their circumstances before the Tribunal.

     39. R2 at [42]-[46]

105. The Tribunal, as noted above, reviews the conduct of SCHN that potentially breaches an HPP. It therefore does not review the conduct of the agency or its process in conducting the internal review: EOK v Northern Beaches Council [2021] NSWCATAD 297, [64]; BKM v Sydney Local Health District [2015] NSWCATAD 87, [22]. That same principle extends to a review of any conduct of the agency or its legal representatives under the Model Litigant Guidelines, a matter which does not concern a breach of an HPP.

106. Matters raised in respect of the conduct of the review and the proceedings are discussed below in my consideration of orders and damages.

Is SCHN bound by the findings of the IR Decision?

107. SCHN asks the Tribunal to depart from the findings in the IR Decision, submitting there was no breach of HPP 5, HPP 11 has no application to the provision of information to MCRI, and there has been no breach HPP 14, which is the relevant HPP that would regulate the provision of information to MCRI. Therefore, it says, the Tribunal should decide not to take any action on the matter.

108. In the context of the PPIP Act, it has been found that a respondent can resile from the findings of its own internal review in relation to a breach of an IPP: AQK v Commissioner of Police, NSW Police Force [2014] NSWCATAD 55 at [46]. I find no reason to depart from that view in respect of these proceedings where the Tribunal is reviewing the conduct, and not the IR Decision.

109. In those circumstances, where the Tribunal must come to its own decision as to whether there was a breach of the HRIP Act, I find that SCHN is entitled to depart from the findings of the IR Decision and raise new arguments (including in respect of the interpretation of HPP 11 and HPP 14), even where there has been no change in the circumstances since that time, provided the reviewable “conduct” remains as identified in the IR Application (which, in this case, it does).

Was the engagement of an external consultant to conduct the internal review permitted under s 53 of the PPIP Act?

110. SCHN submitted that this question was outside the scope of the current proceedings. Nonetheless, it has been dealt with by other Tribunals and the Privacy Commissioner made submissions. Further, although the IR Decision is not the relevant “conduct” under review, it is the stated position as advised to the Applicant as a result of the IR Application, and is relevantly considered in these proceedings.

111. I agree with the submissions of the Privacy Commissioner that s 53 of the PPIP Act did not preclude SCHN engaging IIS Partners to undertake the internal review.

112. As noted above, s 53(1) of the PPIP Act provides that “[a] person (the applicant) who is aggrieved by the conduct of a public sector agency is entitled to a review of that conduct”; and s 53(2) provides that “[t]he review is to be undertaken by the public sector agency concerned” (emphasis added). An application for review must meet the formal requirements outlined in s 53(3), including that it is “(c) addressed to the public sector agency concerned”.

113. Section 53(1) is to be read in light of its statutory context and, in this regard, s 53(4) provides (emphasis added):

Except as provided by section 54(3), the application must be dealt with by an individual within the public sector agency who is directed by the agency to deal with the application. That individual must be, as far as is practicable, a person –

(a) who was not substantially involved in any matter relating to the conduct the subject of the application, and

(b) who is an employee or officer of the agency, and

(c) who is otherwise suitably qualified to deal with the matters raised by the application.

114. The Tribunal has previously agreed with the Privacy Commissioner’s view that the requirement that the individual must be “as far as practicable” a person who is an officer or employee implicitly recognises that, where it is not practicable, a consultant may be retained instead. Indeed, the current situation is similar to that which arose in CRE v Blacktown City Council [2017] NSWCATAD 285 (“CRE”), where the respondent had provided the applicant’s internal review application to an external reviewer. In that case, the respondent had stated he had no faith in the independence of any reviewer from within the Council, but had also objected to appointment of an external party. And the Tribunal said (at [68] and [69]):

“the concept of ‘practicability extends to the likelihood that any internal review conducted by an employee or officer of the Council would have been subjected to challenge by the applicant on the basis that the relevant individual was not impartial and was biased against the applicant.

…the concept of practicability extends to the likelihood of allegations of bias or impartiality against any employee or officer of the Council.”

115. In this matter, the Applicant wished to have an independent party review the application. Ms Ghissabe confirmed to the Tribunal that she had had some involvement with the previous “complaint”. And further, as noted in the IR Decision:

“[t]he SCHN determined that it would be beneficial for an independent party to conduct the Privacy Internal Review, given that their Privacy Contact Officer had been involved in the initial response to the privacy complaint. It engaged IIS, an expert privacy and security consultancy, to conduct the review.”

116. On that basis, I find that it was “not practicable” for the review to be conducted by an employee or officer of SCHN, and it was appropriate, and not precluded by s 53(4), for the internal review to be undertaken through the engagement of IIS Partners. See also DQF v Secretary, Department of Communities and Justice [2021] NSWCATAD 351 at [53].

“Disclose” for the purpose of the HRIP Act

117. The terms “disclose” and “disclosure” are not defined in the HRIP Act.

118. The NSW Court of Appeal has said that the “essence of disclosure” is “making known to a person information that the person to whom the disclosure is made did not previously know”: Nasr v State of New South Wales [2007] NSWCA 101 (“Nasr”) at [127], [129]-[132] per Campbell JA (Beazley and Hodgson JJA agreeing).

119. That interpretation differs from the interpretation of “disclosure” adopted by the (Federal) Office of the Information Commissioner (“OIC”), which contemplates that the information may already be known to the recipient.

120. But the definition in Nasr has been adopted by the Appeal Panel of this Tribunal in Insurance and Care NSW v FMM [2024] NSWCATAP 43 (“FMM (AP)”) at [68]-[73], a case which considered the PPIP Act as well as HPP 11 and HPP 5 in the HRIP Act. The Appeal Panel explained:

“74. The ordinary grammatical meaning of the words in s 18 of the PPIP and clause 11 of Sch 1 to the HRIP Act is consistent with the concept of disclosure set out in Nasr. … Section 18 of the PPIP Act and clause 11 of Sch 1 to the HRIP Act do not contemplate a unilateral action by the agency, but an interaction between the agency and the person to whom the disclosure is made. The person to whom the disclosure is made must receive the information before the information can be said to have been disclosed.

75.   It follows that we do not accept the Privacy Commissioner’s submission that the “conduct” of disclosing information is confined to actions of the agency. The submission was made that the question of whether a third party becomes aware of information should only be considered when assessing whether loss has occurred. While the conduct is that of the agency, the issue is whether that conduct contravenes the relevant legislation. For the reasons we have given, in this case the alleged contravention is disclosing the information to a person in the sense of making that information known to the person. The assessment of loss is informed by the effect that the disclosure to a third party has on the applicant.

76.   The Court of Appeal’s interpretation of the word “disclose” in Nasr is also consistent with a purposive construction of the relevant provisions. Where no personal information has been made known to a person, even if that person could have accessed the information, the privacy of the individual to whom the information relates will not have been compromised.

…

78.   We are not assisted by the meaning given to the word “disclose” in other legislation including the Government Information (Public Access) Act2009 (NSW) (GIPA Act), the Public Interest Disclosures Act2022 (NSW) (PID Act) or the Privacy Act1988 (Cth). Section 18 of the PPIP Act and clause 11 of Sch 1 to the HRIP Act were enacted before the GIPA Act and the PID Act. Parliament could not have had those statutes in mind when enacting s 18 of the PPIP Act. Furthermore, the term “disclose” is a defined term in both the GIPA Act and the PID Act, but not in the PPIP Act.

79.   The Privacy Act 1988 (Cth) is federal legislation. While the AAT has found that “disclose” in the context of that legislation “is not limited only to the revelation of what is not known to the would be recipient of the information”, that is not the case for s 18 of the PPIP Act: Pratt Consolidated Holdings Pty Ltd v Commissioner of Taxation [2011] AATA 907 at [112]–[119] and Nasr.”

121. I therefore apply the definition of “disclose” in Nasr as adopted by the Appeal Panel.

Do both HPP 11 and HPP 14 need to be considered?

122. I find that HPP 11 and HPP 14 apply cumulatively, and compliance with HPP 14 in respect of the transfer of health information outside New South Wales does not relieve SCHN of the obligation to comply with HPP 11. Where both apply, both must be satisfied.

123. The Applicant pointed to the policy documents issued by the Privacy Commissioner and NSW Health which clearly state that HPP 11 and HPP 14 must both be applied. I agree with the submissions of SCHN ^[40] (and accepted by the Privacy Commissioner ^[41] ) that policy documents are not relevant to the statutory construction exercise and cannot modify the meaning of words used in the HRIP Act. Nonetheless, my finding is consistent with that guidance that states that HPP 14 is an additional rule.

     40. at R3[67]

     41. at PC1[33]

124. Turning to the task of statutory construction, SCHN made three broad submissions in support of its contention that HPP 11 and HPP 14 do not operate cumulatively and as a result, SCHN in this matter need only demonstrate compliance with HPP 14:

1. HPP 11 is the “general provision” and HPP 14 is the “specific provision” where SCHN is providing health information to a recipient outside NSW, and “there would be some tension if both HPP 11 and HPP 14 applied to restrict a disclosure outside NSW and to Commonwealth agencies as that would render certain paragraphs in HPP 14 otiose”; ^[42]

2. There is a common law presumption against the extraterritorial operation of legislation absent clear words, which is reflected in s 12(1)(b) of the Interpretation Act 1987 (NSW); and

3. The structure and order of the HPPs indicate that HPP 11 and HPP 14 “are intended to have different (and not overlapping) fields of operation”.

   42. R3[71]-[72]

125. Contrary to SCHN’s submissions, the Privacy Commissioner says that both HPP 11 and HPP 14 are to be applied. She submits, inter alia:

1. The provisions can be read harmoniously together, noting that both HPP 11 and HPP 14 contain obligations preventing disclosure;

2. To remove the obligations arising under HPP 11 using different exemption criteria would circumvent the obligations in HPP 11(1)(f);

3. HPP15(2)(c) by its words expresses a clear preference for HPP 11(1)(f), i.e. if an agency complies with HPP 11(1)(f) it need not comply with HPP15(1); and

4. HPP 11(2) provides a list of circumstances which, if satisfied, remove the requirement to comply with “a provision of this clause” (ie HPP 11). There is no mention of HPP 14 in HPP 11(2); and

5. There is no extraterritorial application in circumstances where the legislation only applies to a NSW-based health agency, and the relevant (extraterritorial) transfer emanates from it (and, in any event, a contrary intention in the HRIP Act can modify the common law presumption).

126. SCHN’s submissions in respect of this issue refer to the “provision” of information. HPP 11 applies to a “disclosure”; and HPP 14 applies to a “transfer” outside New South Wales. Neither refer to “provision”. The heading of HPP 14 refers to “data flows”, and in my view the terminology of “transfer” therefore contemplates something wider than “disclosure”, although that may be a subset. For example, the sending of information through a file sharing platform, or similar situations involving the ability to access data from a location other than New South Wales, would be within HPP 14. It would also apply to the transfer of information already known to the recipient. For that reason, they are in my view directed to different purposes but may overlap.

127. The difference in wording was in place when the HRIP Act was first introduced. The Second Reading Speech to the Bill which introduced the HRIP Act in 2002 did not state that non-compliance with HPP 11 would be permitted where HPP 14 was satisfied. It also referred to the HPP 14 as applying to the “cross-border flow of data”:

“Principles 10 and 11 set out the list of purposes for which holders of health information can use and disclose health information. Principle 12 establishes limits on the use of identifiers. Principle 13 allows people to access health services anonymously, provided it is lawful and practicable to do so. Principle 14 sets out specific circumstances and requirements for the cross-border flow of data.”

128. As noted by the Applicant, HPP 14 also contemplates the “transfer” of patient records to a medical practitioner in a jurisdiction outside New South Wales.

129. Regarding SCHN’s argument concerning “extra-territorial operation”, I agree with the above submissions of the Privacy Commissioner that the HRIP Act is concerned with the conduct of the agency to which the HRIP Act applies; that conduct occurred in New South Wales, notwithstanding its effects may extend outside New South Wales.

130. I have considered SCHN’s submissions regarding previous Tribunal decisions regarding the interaction between s 18 and s 19(2) of the PPIP Act. Those are not the provisions here under consideration. In any event, I do not see any reason why the decision in EHG v Commissioner of Police [2021] NSWCATAD 54 was incorrect. It concluded that s 19(2) (the transborder provision) applied cumulatively to s 18(1) of the PPIP Act following amendments made with effect from 1 April 2016, having regard to the second reading speech which made clear that was the intended effect. I also do not find SCHN’s submissions regarding the amendment to a provision in 2017 persuasive to overturn that view.

131. I do not agree that HPP 14 is “more specific” than HPP 11. If SCHN’s contention was correct, where no consent was provided the additional specific requirements of the research exception considered below (including the requirement for HREC approval) would be fully bypassed, replaced only by a requirement that the jurisdiction to which identified health information was transferred had similar legislation in place to the HRIP Act.

132. Having regard to the objects and purposes of the HRIP Act, the primary object of the legislation is to protect the privacy of such information. HPP 11 and HPP 14 each prescribe limitations and both seek to prescribe conditions in support of that object.

133. Further, s 11(2) of the HRIP Act mandates that SCHN complies with the Health Privacy Principles.

134. For the reasons above, and in the absence of words which evidence a contrary intention, I find that HPP 14 is an additional requirement to HPP 11 and both must be satisfied in this case.

Was there a breach of HPP 11?

135. I turn next to the requirements of HPP 11.

136. Not all health information is afforded protection by the HRIP Act. Relevant in this case is the specific “research exemption” in HPP 11(1)(f) in respect of disclosure (and replicated in HPP 10 in relation to “use”).

137. The Privacy Commissioner noted the lack of precedent as to how HPP 11(1)(f) (and the Research Guidelines) should be applied.

138. The HRIP Act should be interpreted in accordance with the ordinary principles of statutory construction. This means construing the text of the provisions, having regard to their context and purpose: ENT19 v Minister for Home Affairs (2023) 278 278 CLR 76, [86] (Gordon, Edelman, Steward, and Gleeson JJ). And here, the task is to construe the language of the HRIP Act, not the individual words in isolation: Sea Shepherd Australia Ltd v Commissioner of Taxation (2013) 212 FCR 252.

181. I adopt the same approach, having regard to the process set out in s 64 of the HRIP Act in respect of the Research Guidelines. I find that the Research Guidelines should be construed as binding on SCHN and the Tribunal should not depart from them. However, Perry Properties and Antegra also confirmed that in construing the guidelines before them, the Tribunal should apply general rules of statutory interpretation, having regard to their purpose and intent.

Section 1.3 of the Research Guidelines (“the pre-requisites”)

182. Section 1.3(a) to (d) of the Research Guidelines requires SCHN to have satisfied four “prerequisites”.

183. These four prerequisites have been satisfied on my analysis above, as they mirror the following provisions in HPP 11(1)(f):

Section of Research Guideline	Wording (the footnotes are incorporated as endnotes in this decision)	Equivalent clause of HPP 11 (considered above)
1.3(a)	It must be reasonably necessary to use or disclose health information for the purpose of research or the compilation or analysis of statistics, in the public interest ;	HPP 11(1)(f) – chapeau: “the disclosure of the information for the secondary purpose is reasonably necessary for research, or the compilation or analysis of statistics, in the public interest”
1.3(b)	The relevant purpose of research or the compilation or analysis of statistics activity must be in the public interest;	HPP 11(1)(f) chapeau – as above.
1.3(c)	The relevant purpose of research…cannot be achieved by the use or disclosure of de-identified information [] [47] ; and	The first requirement in HPP 11(1)(f)(i)(A): “that purpose cannot be served by the disclosure of information that does not identify the individual or from which the individual’s identity cannot reasonably be ascertained ….”
1.3(d)	It must be impracticable to seek consent [] [48] from the individual(s) to [use or] disclose their health information for the purpose of research or the compilation or analysis of statistics, in the public interest.	The second requirement in HPP 11(1)(f)(i)(A): “…and it is impracticable for the organisation to seek the consent of the individual for the disclosure”

47. [] to the Research Guidelines states: “Note that if you have taken reasonable steps to de-identify the information before using or disclosing it then these statutory guidelines on research do not apply. The statutory guidelines on research only apply where the purpose cannot be served by the use or disclosure of de-identified information.”

48. [] to the Research Guidelines states: “Please see footnote 7 for a list of the factors that HRECs should consider in assessing whether it is impracticable to seek consent.” (my emphasis). The list of factors in footnote 7 is extracted at par 165 of these reasons.

184. I therefore find that the prerequisites in section 1.3 of the Research Guidelines have been satisfied.

Section 1.4 of the Research Guidelines

185. Section 1.4 imposes three further requirements on SCHN (the relevant “organisation”):

Conditions for organisations seeking to use or disclose

1.4.   Where an organisation seeks to rely on these statutory guidelines to lawfully use or disclose health information it must:

(a)   be satisfied that the research or the compilation or analysis of statistics activity in which the health information is to be used or disclosed has been approved by a Human Research Ethics Committee (HREC) under these statutory guidelines;

(b)    be satisfied that the HREC granting the approval satisfies the conditions in section 1.5 of these statutory guidelines; and

(c)    comply with other duties imposed upon it by these statutory guidelines.

…

186. Section 1.5 of the Research Guidelines, in turn, provides:

Conditions for HRECs

1.5   An HREC must:

(a)   only give approval under the Act for the collection, use or disclosure of health information for the purpose of research.. in the public interest, in accordance with these statutory guidelines;

(b)    be constituted and functioning in accordance with the National Statement on Ethical Conduct in Research Involving Humans (2:  Human Research Ethics Committees); and

(c) comply with sections 4.1 – 4.10 of these statutory guidelines.

187. Six matters frame the required interpretation of section 1.4 in this case:

1. Section 1.1 of the Research Guidelines, which says:

These statutory guidelines require research proposals to be submitted to a Human Research Ethics Committee [HREC] for approval.

2. Section 1.4 should not revisit the “prerequisites” already found to have been satisfied under section 1.3 discussed above. It is therefore to be assumed that (inter alia) the required “reasonably necessary” connection between the disclosure and the research have been satisfied.

3. It follows that the obligations in section 1.4(a) and (b) are concerned to ensure that there was appropriate referral to, and approval by, a properly constituted HREC.

4. The obligations under section 1.5 are imposed on the HREC, and not SCHN. In this review, section 1.4 does not require or permit the Tribunal to review or revisit ethical decisions made by the HREC to waive consent.

5. Nonetheless, in order for the Tribunal to find that SCHN would be “satisfied”, there must be some evidence as to the requirements of section 1.4 being met.

188. I also consider that references in sections 1.4 and 1.5 to “under these statutory guidelines”, in the context of the NMA Scheme, should be read as compliance with the equivalent guidelines in other Australian jurisdictions. This is because:

1. MCRI submitted the relevant proposal for the Research Project to the MH HREC on behalf of all participants under the NMA Scheme, which included SCHN;

2. That required only a “single” ethical approval. The MH HREC was the only HREC that considered and approved the Research Project and the (relevant) waiver of consent;

3. The MH HREC confirmed that it operated in accordance with the (equivalent) Health Privacy Principles described in the Health Records Act 2001 (Vic) (“HRA Act (Vic)”) and Section 95A of the Privacy Act 1998 (Cth) (“Privacy Act (Cth)”) (and subsequent Guidelines)”: see par 28 above. The guidelines issued under s 22 of the HRA Act (Vic) for the purpose of the (equivalent) research exemption in s 2.2(g)(iii) of that Act; and the NHMRC guidelines issued under s 95 and 95A of the Privacy Act substantively align with the content of the Research Guidelines.

189. I find that SCHN would have been satisfied that MCRI and the MH HREC respectively applied for, and considered and approved, the Research Project and the relevant waiver of consent for the retrospective cohort of which the Applicant (as found above) formed part.

190. I therefore find that the requirement in section 1.4(a) is met. I find that SCHN was satisfied that the research activity in which the [Applicant’s health information] was to be disclosed had been approved by the MH HREC “under these statutory guidelines”. SCHN had also been approved as an authorised site for the purpose of the Research Project, and had received the approval (and updated approvals) granted by MH HREC from MCRI prior to the disclosure, which included the above waiver of consent.

191. I also find that the requirement in section 1.4(b) is met, because SCHN was “satisfied” that the MH HREC complied with the conditions in section 1.5, i.e.:

1. It was constituted and functioned in accordance with the National Statement on Ethical Conduct in Research Involving Humans. It was also certified to consider and approve research proposals under the NMA Scheme.

2. In approving the Research Project, it:

1. only give approval under the Act for the collection, use or disclosure of health information for the purpose of research in accordance with “these statutory guidelines”;

2. complied with the requirements in sections 4.1 - 4.10 of the Research Guidelines, including in respect of the granting of a waiver of consent in respect of the retrospective cohort of which the Applicant formed part, as set out in my findings on the evidence above.

192. In addition, I find that the MH HREC would have been aware of the relevant documents issued by the NHMRC relevant to the NMA Scheme, including the document titled “Jurisdictional Legislative Requirements: National & State Statutory and Administrative Frameworks for Ethical Review of Multi-centre Human Research Projects” ^[49] which included the following “New South Wales” section regarding the HRIP Act and said in respect of the Research Guidelines:

“These Guidelines [issued under the New South Wales HRIP Act] are essentially the same as the Guidelines developed for s95 and 95A of the Privacy Act 1988 (Cth). Research requiring use or disclosure of personal health information will need to be considered by a HREC who will apply the test set out in the Act. The reviewing HREC and its organisation must report to the NSW Privacy Commissioner on an annual basis even where that HREC is outside NSW.”

49. Version August 2017 at R2, 32

193. I therefore find that SCHN was “satisfied” as to the matters in section 1.4(b).

194. In respect of section 1.4(c), I find that SCHN met its “disclosure” obligations in section 2 of the Research Guidelines. First, the approval from the MH HREC was both sought and received by MCRI before the disclosure was made. Second, the seeking of that approval and consideration by the MH HREC was required to be undertaken in accordance with the equivalent provisions in that jurisdiction (noting that MCRI was a “collector” of that information). Third, there is nothing before me which would cause me to find that the requirements were not satisfied. Fourth, MCRI confirmed that the Applicant’s health information was collected by it for the purpose of the Research Project, as approved by the MH HREC approval. The disclosure by SCHN was made in response to that collection request.

195. SCHN also referred the Tribunal to the obligations in sections 2.11 and 3.5 of the Research Guidelines (“Matters warranting review of ethical approval” in respect of the use, disclosure and collection of health information) which imposed ongoing obligations after the HREC approval had been obtained to immediately report to the HREC anything that might warrant review of the ethics approval. This was also done, on behalf of all participants including SCHN, by way of MCRI requesting approval of the amendments to the Study Protocol, as referenced in the facts above.

196. For the above reasons, I find that the requirements of HPP 11(1)(f)(iii) were satisfied.

Conclusion on HPP 11

197. It follows there was no breach of HPP 11 when the Applicant’s health information was disclosed to MCRI without his consent.

Was there a breach of HPP 10 (Limits on use)?

198. I find that HPP 10 does not apply, because (on the evidence before the Tribunal) SCHN did not “use” the Applicant’s health information for its own purposes, such as using it internally for their own operations or analysis. Rather, SCHN only handled the information to prepare the spreadsheet for the purpose of disclosure to MCRI.

199. This view was confirmed on appeal by the Appeal Panel of this Tribunal in AIN v Medical Council of New South Wales [2017] NSWCATAP 23 (“AIN”). The Appeal Panel noted that the PPIP Act established separate rules for use and disclosure. It held that the steps taken were “concerned with the making of the disclosure”, and “there was no act of internal use of personal information”, and thus IPP 9 did not apply (at [81]-[82]).

200. The Tribunal isn’t bound by the doctrine of precedent to follow earlier decisions, but it should ordinarily follow decisions of the Appeal Panel and decisions of the Tribunal as constituted by the President or a Deputy President, unless they are clearly wrong. There is nothing “clearly wrong” arising from my review of the decision in AIN, and I therefore see no reason to depart from its approach.

201. As a result, I find that HPP 10 does not apply as the actions taken by SCHN to prepare information for disclosure was not a separate "use".

202. Further, if I am in wrong, HPP 10 mirrors the wording of HPP 11, other than referring to the “use” rather than the “disclosure” of the information. Further, the same Research Guidelines apply to both HPP 10(1)(f) and HPP 11(1)(f). As any “use” was directly related to the disclosure, it follows that the requirements of HPP 10, including the research exemption in HPP 10(1)(f) were satisfied on the same basis considered above in respect of HPP 11(1)(f).

Was there a breach of HPP 5?

203. The relevant wording of HPP 5 is set out below:

5   Retention and security

(1)  An organisation that holds health information must ensure that—

…

(c)  the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse

204. Despite the findings of the IR Decision that there was a breach of HPP 5(1)(c), SCHN now submits there was no breach.

205. For a breach to be established, the Tribunal must be satisfied that:

1. SCHN held the health information.

2. the security measures in place to protect the information were unreasonable in the given circumstances; and.

3. no exemption to compliance provided for by cl 5(1)(c) applies.

206. There is no dispute that (1) and (3) above are satisfied.

207. I have had regard to SCHN’s written submissions on HPP 5(1)(c) which said ^[50] , in summarising the evidence presented by Ms Ghissabe, that their security safeguards were reasonable because:

     50. at R3 at [141]-[146]

1. SCHN had both technical and organisational measures to address the risk of unencrypted spreadsheets being sent and they actively drew staff attention to privacy policies and tailored resources.

2. Despite the spreadsheet not being encrypted, the recipient was unaware of any unauthorised access, which suggested that the existing technology controls (TLS encryption for emails) were effective.

3. even though Dr X might not have been aware of the encryption option, SCHN had other measures in place, such as Kiteworks, and there was no evidence that other staff failed to encrypt attachments or use Kiteworks; and

4. since the relevant conduct occurred, these procedures have been enhanced and made more known to staff.

208. I agree that:

1. the relevant obligations in HPP 5 and its counterpart in IPP 5 of the PPIP Act are essentially the same: XW v Department of Education and Training [2009] NSWADT 73 (“XW”) at [20]; and

2. what is “reasonable in the circumstances” requires objective evaluation: XW at [67].

209. However, relevant considerations include the sensitivity of the information (of which health information is “highly sensitive” and the protection afforded to such information should reflect that level of sensitivity (see ALZ v WorkCover NSW (No 2) [2014] NSWCATAD 122 at [31], [40]). It is appropriate to have regard to the potential gravity of the consequences of any unauthorised disclosure of the information: XW at [67] and [92]. The fact that a person’s personal and/or health information is disclosed does not automatically mean that the security safeguards an agency had in place are not reasonable in the circumstances: CHY v Family and Community Services [2018] NSWCATAD 84 at [33]; BE v University of Technology, Sydney [2008] NSWADT 139 at [79]. By corollary, the fact that it “appears” that MCRI did not disclose information to others does not automatically mean they were.

210. I accept that IPP 5 and HPP 5 do not involve an absolute or strict standard of security safeguarding. As noted by SCHN, they operate subject to a reasonableness standard: CLT v Department of Education and Communities [2016] NSWCATAD 98 at [9].

211. I agree with the principles and propositions submitted by SCHN and that the Tribunal assesses the reasonableness of the overall suite of security mechanisms, rather than whether each individual safeguard is perfect or meets best practice.

212. In considering what was “reasonable” in the relevant circumstances, the Tribunal in XW said, at [67]:

“Section 12(c) requires security safeguards that are reasonable in the circumstances. That is clearly an objective evaluation, and one that requires consideration of the nature of the information, which would include its sensitivity, and the consequences of loss, unauthorised access, use or disclosure. The s12(c) obligation applies in relation to information the agency has a need to hold, which is the only information an agency should hold (s12(a) PPIP Act). The issue of who in the agency needs to be able to access it, and how access is regulated, is relevant”.

213. The thrust of SCHN’s submissions is that the Tribunal should be satisfied that there was no contravention of HPP 5 because the security safeguards the agency had in place were thereby “reasonable” in the circumstances, and that it is also significant that MCRI “is not aware that use of this data transfer method resulted in any unauthorised access”. ^[51]

     51. A2, item 17(a)

214. With respect, I disagree. In the circumstances (being my review of the conduct in respect of protecting the Applicant’s health information), “the information” was highly sensitive and identifiable health information that was received, held, disclosed and at risk of being more widely “shared” without any stated restrictions or limitations; there were no warnings, references to the Research Project or the baseline cohort, or password protection or encryption of the spreadsheet that was sent. The fact that TLS was used by MCRI and SCHN does not remedy these additional issues. Nor does the fact that it may not have led to viewing by persons outside the relevant and authorised teams. It was apparent from the conduct set out above that despite the existence of the security safeguards presented by SCHN, little thought was given to them or how they should have been applied. I therefore can only conclude that there was a breakdown in their observation through either a lack of knowledge, a lack of concern, or both. The IR Decision correctly pointed to the failure to comply with SCHN’s own written instructions in the Privacy Leaflet for Staff (SCHN) advising against sending health information outside NSW Health unless password-protected or encrypted, and suggesting secure file transfer systems be used.

215. In the absence of SCHN presenting other evidence, and noting that some of the stated education was optional, I am left with only a suggested “cone of silence” and vague and unpersuasive hearsay evidence as to how this occurred. This also does not provide sufficient comfort that the situation that occurred was an anomaly from procedures which were appropriately communicated, understood, and enforced.

216. In those circumstances, I find that there was a breach of HPP 5(1)(c).

Was there a breach of HPP 14?

217. Relevantly, HPP 14(a)  permits the transfer of health information outside New South Wales if “the organisation reasonably believes that the recipient of the information is subject to a law, binding scheme or contract that effectively upholds principles for fair handling of the information that are substantially similar to the Health Privacy Principles”.

218. The Privacy Commissioner pointed to the decision of the Administrative Decisions Tribunal (ADT) in QB v Greater Southern Area Health Service [2011] NSWADT 90 (“QB”) at [151]-[152] which found there was no breach of HPP 14 where health information was transferred to Victoria:

“151 The interstate health service is located in Victoria. As such it is an agency subject to the provisions of the Health Records Act 2001 (Vic). That Act effectively upholds principles for the fair handling of the information that are substantially similar to the Health Privacy Principles.

152 As a result I am not satisfied that there has been a breach of HPP 14.”

219. Similar reasoning is available in this matter, given that the “recipient of the information” (MCRI) is located in Victoria and, as in QB, bound by the provisions of the Health Records Act 2001 (Vic).

219. I find that there was no breach of HPP 14.

What orders should the Tribunal make?

The Applicant’s proposed orders

221. The Applicant sought the following orders:

1. A full acknowledgement of a breach of the Applicant’s privacy;

2. An apology for the breach of privacy;

3. An apology for the conduct that has since prevailed by both SCHN and the Crown Solicitor’s Office (CSO) in attempts to avoid acknowledgement of the breach;

4. Appropriate disciplinary action taken for all staff involved, to ensure staff are held accountable for their actions, including their involved supervisors;

5. The unconsented private data of all (“nearly 300 children”) disclosed by SCHN to MCRI to be withdrawn from the research study;

6. The SCHN Ethics Committee (which I take to be the SCHN HREC) to:

1. Be made aware of what has occurred under their oversight;

2. Make improvements to ensure future protocols adhere to the exemption principles as stipulated in Statutory Guidelines and Privacy Acts;

3. Undertake governance to ensure protocols apply their approval conditions (eg internal audits, accountability to any concerns raised);

4. A cultural shift to occur within the SCHN, with a (re)prioritised focus on respect for patient participation through rectification, re-education and re-training. Particularly to the application of all the “NHMRC: National Statement on Ethical Conduct in Human Research 2023” principles, eg. Section 1.1(d). This must lead the SCHN to stop sharing patient’s identified sensitive information.

5. SCHN governance, including those of research and ethics governances, to be (re-)educated and well versed on the definition of ‘clinical audits vs research” and ALL principles (legal, ethical and scientific) of the NMA scheme; to prevent external researchers misleading SCHN into misapplying project protocols.

6. The maximum compensation payment of $40,000 from NCAT for:

“The mismanagement of the matter by SCHN as per NSW Health Policy Directive ‘Complaints Management’: PD2020_013

Personal impact of the breach itself and the ensuing complaint mismanagement

Time and effort required to simply seek an answer as to ‘what authority’

The behaviour of both SCHN and their legal representatives under the Model Litigant Policy.”

222. In respect of damages sought, the Applicant seeks damages of $40,000 for the alleged breaches of the HRIP Act. At the hearing, the Applicant’s mother explained that the claim for damages included the following:

1. Legal costs as disclosed on invoices issued by legal firms/practitioners for assistance in drafting submissions and evidence for use by her in:

1. the current proceedings; and

2. the prior proceedings (which were withdrawn); and.

2. Damages for the ongoing stress to the Applicant caused as a result of this matter not being promptly dealt with.

223. In respect of (1)(b) above, she said the original complaint (the First Letter) met all the requirements for an internal review request under s 53 the PPIP Act and should have been referred to the Privacy Team as a request for internal review under the PPIP Act. Instead, it was (wrongly) dealt with by the Research Ethics Committee. This was the line of questioning directed to Ms Ghissabe in cross-examination. Ms Ghissabe confirmed that although she had assisted with some insights, the matter was originally dealt with by the Research Ethics Committee, and not by her team.

Consideration of orders sought

224. Disciplinary matters against staff are not, as submitted by the Respondent, within the scope of these proceedings.

225. Nor does the Tribunal have power to make orders in respect of persons or organisations other than SCHN, or orders that relate to the health information of other patients.

226. Many of the above orders sought by the Applicant assume that the disclosure was not authorised under HPP 11(1)(f). I have found above that was not the case.

227. The award of damages, as submitted by SCHN at [151] requires:

1. A finding of breach – which has been found;

2. A recoverable form of damage listed in s 55(4) of the PPIP Act (namely, “financial loss, or psychological or physical harm”), here being psychological harm;

3. An establishment of the causal link between the breach arising from the conduct and the loss or harm claimed to have been suffered;

4. Even if satisfied that the harm suffered is “because of” the agency’s privacy breach, the Tribunal must exercise a discretion; and

5. The payment of damages is to be “by way of compensation”. I accept that the maximum amount should be reserved for the most serious breaches and the sums of money to be awarded should be determined in that context.

228. I have found that there was no breach of the HPPs caused by the failure to seek the Applicant’s consent. That was the primary submission of the Applicant, and I have found there was no “unauthorised disclosure” of that kind. As a consequence, I have found there was no breach of HPP 10, HPP 11 or HPP 14. The distress caused by the disclosure itself is therefore outside the bounds of consideration in any claim for damages.

229. Nonetheless, I have found a breach of HPP 5(1)(c) because the Applicant’s health information was not adequately protected when the email was sent with identified heath information in an unencrypted attachment with no password protection, no statement as to the Research Project, and no warning regarding the sensitivity of the contents or limitations on its use.

230. The Applicant has said in his statements that he was also distressed that his health information was subjected to a “loss of control”, leading to his fears that its sharing was not appropriately limited.

231. Two “medical reports” were presented. The first was a one-page letter from Paul Smith. He said that he had been assisting the Applicant with his psychological counselling for many years, and had observed the additional stress and deterioration of his psychological condition as a result of the events which occurred in “2019-2020”. I share the concerns in SCHN’s submissions regarding the report being undated and the references within it to events occurring in these years when the Applicant was unaware of the disclosure until 2023.

232. The second document was a medical report from Mr Borenstein, which was filed shortly before the hearing. Mr Borenstein was a clinical psychologist, and had seen the Applicant several times in 2024 and 2025. His observations were based, in significant part, on the Applicant’s own reporting of the events. Nonetheless, I have read the report and the diagnoses made as to the Applicant’s mental health condition.

233. There was no oral testimony by these witnesses; the Tribunal was told Mr Borenstein was unable to attend. He was therefore not subject to cross examination.

234. I find that the breach of HPP 5(1)(c) and the resulting “loss of control” felt by the Applicant nonetheless establishes the causal link. The Applicant attended the hearing and was not questioned on his statements as to the psychological impact on him. I am satisfied that the breach has led, in consequence, to some part of his already existing distress being exacerbated.

235. The evidence by way of the two reports, noting the objections of SCHN as to their limited weight (which I acknowledge), is nonetheless supportive of the distress that he has suffered: see CJU v SafeWork NSW [2018] NSWCATAD 300 at [117] (following AOZ v Rail Corporation NSW (No 2) [2015] NSWCATAP 179).

236. They are also consistent with a finding I make that the Applicant has been undergoing counselling for many years as a consequence of his debilitating illness, and that his mental health condition would have been exacerbated by the death of his sibling in recent years from the same illness. And, as noted in SCHN’s own submissions, in considering an award of damages, the Tribunal has regard to the Applicant himself, and not to the psychological state of a “hypothetical person”.

237. Having regard to these matters, I am satisfied that the Applicant suffered additional psychological harm in the form of distress about not knowing whether his health information was viewed by, shared with, or accessed by other persons within MCRI or SCHN. That was due and attributable to the conduct that led me to find a breach of HPP 5(1)(c), separate from the disclosure itself.

238. I am also satisfied that this distress continued for longer than necessary in the circumstances set out above in respect of the handling of the original complaint.

239. I observe that there was no evidence that the Applicant has been appropriately compensated through any related claim.

240. In the above circumstances, it is appropriate to award damages to the Applicant by way of compensation for psychological harm in the amount of $6,000.

Legal Costs

241. Out of the total damages claim of $40,000, the majority were for the Applicant’s cost of preparing for these proceedings, in respect of the expert evidence presented, or in respect of the legal costs incurred.

242. Both categories are, as submitted by SCHN, in the nature of a claim for costs and not damages.

243. The general rule in proceedings before this Tribunal is that each party bears its own costs. Under s 60 of the NCAT Act, the Tribunal must find that there are “special circumstances” and, in addition, that those special circumstances warrant an award of costs. It is a discretion, and there must be strong reasons to depart from the general rule.

244. The Applicant did not appear by a legal representative and the legal invoices presented also showed that several different firms and/or legal practitioners had provided legal advice. It is unclear how precisely they relate to the matters in issue before me or what (if any) costs would be ordered.

245. In the absence of any application for costs, I decline to consider this matter further. I also decline to consider the alleged breach of the Model Litigant Guidelines, the without prejudice letter or the other matters raised by the Applicant regarding the conduct of SCHN’s legal representatives.

Other orders

246. I make orders below for SCHN to review, update and monitor its procedures for disclosures of health information for research purposes without consent.

247. These are the substantive matters requiring the making of orders as a consequence of the breach of HPP 5(1)(c) as found.

248. I do not agree with SCHN’s submissions that the evidence presented by Ms Ghissabe would lead me to conclude that “no orders are appropriate”.

249. I have not made formal orders regarding the processes for handling privacy complaints or the updating of the Patient Leaflet as recommended in the IR Decision. SCHN should have regard to those recommendations, which are uncontroversial and should be implemented as a matter of course if it has not already done so.

No other confidentiality orders sought

250. Other than non-disclosure of the Applicant’s name, no confidentiality orders were sought by the parties in respect of the evidence filed with the Tribunal.

251. Although these reasons have been written on that basis, I have made orders deferring publication and permitting applications to be filed under s 64 of the NCAT Act within 14 days. Any application should be accompanied by written submissions of no more than 5 pages and attached proposed draft orders identifying the relevant material or part of these reasons over which the application is sought, and advise of any objection to the matter being determined on the papers. Any application will be considered on its merits.

Correction of name

252. The proceedings referred to SCHN by the incorrect name. I have made orders to amend the name below.

Orders

253. I make the following orders:

1. The name of the Respondent is corrected from “Sydney Children’s Hospital Network” to “Sydney Children’s Hospitals Network”.

2. The Respondent is to provide an unreserved formal written apology to the Applicant addressing and apologising for the Respondent’s breach of HPP 5(1)(c) in respect of the Applicant’s health information and for all distress caused to the Applicant as a result of that breach.

3. The Respondent is to pay the Applicant $6,000 in damages for the above breach.

4. Orders 2 and 3 are to be complied with within 30 days of the date of these orders.

5. The Respondent, as soon as practicable, must review, update and monitor its procedures so that disclosures of health information for research purposes without consent:

1. comply with approved security protocols for the method of sending identifiable health information;

2. clearly reference the research project and applicable waiver of consent; and

3. include warnings as to confidentiality and limitations on use.

6. The publication of these reasons is deferred for a period of 28 days after the date of these orders, or such later date ordered by the Tribunal.

7. The parties have 14 days from the date of these orders to file an application for any further confidentiality orders under s 64 of the Civil and Administrative Tribunal Act 2013 (NSW), which should comply with par 251 of these reasons.

**********

Endnotes

I hereby certify that this is a true and accurate record of the reasons for decision of the Civil and Administrative Tribunal of New South Wales.

Registrar

Amendments

24 July 2025 - Paragraph 214 - replaced "highly sensitive de-identified health information" with "highly sensitive and identifiable health information".

Decision last updated: 24 July 2025