Issue: March 2022
Access the decision: FCZ v Illawarra Shoalhaven Local Health District [2022] NSWCATAD 79.
The applicant sought review of a decision by the respondent to refuse her access to confidential health information concerning her daughter. She submitted that the refusal to provide access to the information amounted to a contravention of Health Privacy Principle 7 in the Health Records and Information Privacy Act 2002, which requires an organisation to provide health information about a person to the person (or their authorised representative, being, amongst other things, a parent with parental responsibility over a child) upon their request.
The Tribunal held that the applicant was not an authorised representative capable of accessing her daughter's information because orders made pursuant to the Family Law Act 1975 (Cth) awarded sole parental responsibility for her daughter to her daughter's father and that, even if she were an authorised representative, there was an overriding public interest against disclosure of the information under s. 13 of the Government Information (Public Access) Act 2009.
Access the decision: ENY v Nepean Blue Mountains Local Health District [2021] NSWCATAD 382.
The Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002 (HRIP Act) contain obligations to correct personal information and health information 'at the request of the individual to whom the information relates'. ENY applied for review in the Tribunal of the alleged failure of the respondent to amend the information of her late father under each Act.
The Tribunal held that 'the individual to whom the information relates' must be read as extending to 'the individual and their personal representative', in this case, the applicant as executrix, to preserve the posthumous efficacy of the statutory privacy obligations, read in conjunction with the definition of 'personal information' as information about a person deceased not less than 30 years. It also held that an 'executor' is an 'authorised representative' under s. 8 of the HRIP Act because they are empowered under law to act both in the 'best interests' of the deceased and as the 'agent' of the testator.
The respondent has filed an appeal from the decision to be heard in May 2022.
Access the decision: CJU v HealthShare NSW [2021] NSWCATAD 372.
CJU made an enquiry to HealthShare NSW concerning her human resources records. HealthShare could not answer the inquiry, so an employee of HealthShare directed the enquiry to CJU's employer, a local health district (LHD), by forwarding their email correspondence. CJU complained that this was an unlawful disclosure because there was reason to expect that CJU would object to the disclosure.
The Tribunal held that the exemption in s. 27A, which exempts an agency from compliance with Information Protection Principles where the disclosure of personal information is reasonably necessary 'to enable inquiries to be referred between the agencies concerned', was unavailable. Accepting that it was 'reasonably necessary' to disclose the fact of the inquiry to the LHD, the Tribunal held that a 'referral' must only involve a disclosure for the purpose of the second agency dealing with the inquiry. In this case, the Tribunal held that the correspondence to the LHD contemplated that information would be exchanged back to HealthShare, which would then be used to assist CJU.
HealthShare has filed an appeal against the decision to be heard in May 2022.
Access the decision: EEH v Insurance & Care NSW [2022] NSWCATAD 82.
The applicant sought documents under s. 14 of the Privacy and Personal Information Protection Act 1998 relating to a previous workers compensation claim. He made several follow-up requests requesting specified information alleged to be missing and sought internal review in relation to one of those requests. He also submitted that the Tribunal should also consider whether there was delay in the provision of information sought in follow-up requests made after his request for internal review, on the basis that each originated from a single broad request.
The Tribunal, inter alia, observed that, in some circumstances, the conduct of an agency subsequent to a request for internal review could bear on whether there had been excessive delay prior to that request.
Access the decision: EQH v Health Administration Corporation (No. 2) [2022] NSWCATAD 45.
The conduct of a 'rogue employee' who accessed personal and health information without authorisation is not attributable to the employing agency where it has complied with Health Privacy Principle (HPP) 5(1)(c) in the Health Records and Information Privacy Act 2002 by taking reasonable security safeguards against unauthorised access and misuse of information.
The Tribunal accepted the respondent's submissions that its safeguards were reasonable and sufficient: it had extensive policies and procedures relating to privacy; it brought these to the attention of its employees through mandatory and optional training; it limited staff access to patient health information to those who needed access to perform their duties; and it conducted audits and took disciplinary action where appropriate following allegations of inappropriate access. As a result, the respondent was not responsible for any use or disclosure of EQH's information.
Following the passage of the Customer Service Legislation Amendment Act 2021, new provisions are now provided regarding the sharing of information during an emergency (as defined in the State Emergency and Rescue Management Act 1989).
The new s. 27D of the Privacy and Personal Information Protection Act 1998 exempts public sector agencies from compliance with the Information Protection Principles set out in that Act if the collection, use or disclosure of personal information is reasonably necessary to assist in a stage of an emergency and is only for that purpose.
The new cll. 10(1)(b1) and 11(1)(b1) of Sch. 1 to the Health Records and Information Privacy Act 2002 enable organisations that hold health information to use or disclose the information for a purpose other than the purpose for which it was collected if the use or disclosure is reasonably necessary to assist in a stage of an emergency.
For both Acts, this can only occur if it is in circumstances where it is impracticable or unreasonable for the organisation to seek the consent of the individuals concerned. Personal and health information that is shared by agencies in reliance upon these new provisions must not be held for longer than 18 months unless extenuating circumstances apply or consent has been obtained, nor can such information received by a law enforcement agency be used for the purpose of prosecuting an offence.
09 Jun 2023