ALQ March 2022 Privacy

Issue: March 2022

Privacy decisions

Parent's access to information under HRIPA and public interest considerations

Access the decision: FCZ v Illawarra Shoalhaven Local Health District [2022] NSWCATAD 79.

The applicant sought review of a decision by the respondent to refuse her access to confidential health information concerning her daughter. She submitted that the refusal to provide access to the information amounted to a contravention of Health Privacy Principle 7 in the Health Records and Information Privacy Act 2002, which requires an organisation to provide health information about a person to the person (or their authorised representative, being, amongst other things, a parent with parental responsibility over a child) upon their request.

The Tribunal held that the applicant was not an authorised representative capable of accessing her daughter's information because orders made pursuant to the Family Law Act 1975 (Cth) awarded sole parental responsibility for her daughter to her daughter's father and that, even if she were an authorised representative, there was an overriding public interest against disclosure of the information under s. 13 of the Government Information (Public Access) Act 2009.

Amending personal and health information about a deceased person held by an agency

Access the decision: ENY v Nepean Blue Mountains Local Health District [2021] NSWCATAD 382.

The Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002 (HRIP Act) contain obligations to correct personal information and health information 'at the request of the individual to whom the information relates'.  ENY applied for review in the Tribunal of the alleged failure of the respondent to amend the information of her late father under each Act.

The Tribunal held that 'the individual to whom the information relates' must be read as extending to 'the individual and their personal representative', in this case, the applicant as executrix, to preserve the posthumous efficacy of the statutory privacy obligations, read in conjunction with the definition of 'personal information' as information about a person deceased not less than 30 years. It also held that an 'executor' is an 'authorised representative' under s. 8 of the HRIP Act because they are empowered under law to act both in the 'best interests' of the deceased and as the 'agent' of the testator.

The respondent has filed an appeal from the decision to be heard in May 2022.

Referral is a one-way street

Access the decision: CJU v HealthShare NSW [2021] NSWCATAD 372.

CJU made an enquiry to HealthShare NSW concerning her human resources records. HealthShare could not answer the inquiry, so an employee of HealthShare directed the enquiry to CJU's employer, a local health district (LHD), by forwarding their email correspondence. CJU complained that this was an unlawful disclosure because there was reason to expect that CJU would object to the disclosure.

The Tribunal held that the exemption in s. 27A, which exempts an agency from compliance with Information Protection Principles where the disclosure of personal information is reasonably necessary 'to enable inquiries to be referred between the agencies concerned', was unavailable.  Accepting that it was 'reasonably necessary' to disclose the fact of the inquiry to the LHD, the Tribunal held that a 'referral' must only involve a disclosure for the purpose of the second agency dealing with the inquiry. In this case, the Tribunal held that the correspondence to the LHD contemplated that information would be exchanged back to HealthShare, which would then be used to assist CJU.

HealthShare has filed an appeal against the decision to be heard in May 2022.

Defining the scope of NCAT's jurisdiction in requests for personal information

Access the decision: EEH v Insurance & Care NSW [2022] NSWCATAD 82.

The applicant sought documents under s. 14 of the Privacy and Personal Information Protection Act 1998 relating to a previous workers compensation claim. He made several follow-up requests requesting specified information alleged to be missing and sought internal review in relation to one of those requests. He also submitted that the Tribunal should also consider whether there was delay in the provision of information sought in follow-up requests made after his request for internal review, on the basis that each originated from a single broad request.

The Tribunal, inter alia, observed that, in some circumstances, the conduct of an agency subsequent to a request for internal review could bear on whether there had been excessive delay prior to that request.

Conduct of 'rogue employee' not attributable to employing agency under HRIPA

Access the decision: EQH v Health Administration Corporation (No. 2) [2022] NSWCATAD 45.

The conduct of a 'rogue employee' who accessed personal and health information without authorisation is not attributable to the employing agency where it has complied with Health Privacy Principle (HPP) 5(1)(c) in the Health Records and Information Privacy Act 2002 by taking reasonable security safeguards against unauthorised access and misuse of information.

The Tribunal accepted the respondent's submissions that its safeguards were reasonable and sufficient: it had extensive policies and procedures relating to privacy; it brought these to the attention of its employees through mandatory and optional training; it limited staff access to patient health information to those who needed access to perform their duties; and it conducted audits and took disciplinary action where appropriate following allegations of inappropriate access. As a result, the respondent was not responsible for any use or disclosure of EQH's information.

New privacy legislation: provisions regarding sharing of information during an emergency

Following the passage of the Customer Service Legislation Amendment Act 2021, new provisions are now provided regarding the sharing of information during an emergency (as defined in the State Emergency and Rescue Management Act 1989).

The new s. 27D of the Privacy and Personal Information Protection Act 1998 exempts public sector agencies from compliance with the Information Protection Principles set out in that Act if the collection, use or disclosure of personal information is reasonably necessary to assist in a stage of an emergency and is only for that purpose.

The new cll. 10(1)(b1) and 11(1)(b1) of Sch. 1 to the Health Records and Information Privacy Act 2002 enable organisations that hold health information to use or disclose the information for a purpose other than the purpose for which it was collected if the use or disclosure is reasonably necessary to assist in a stage of an emergency.

For both Acts, this can only occur if it is in circumstances where it is impracticable or unreasonable for the organisation to seek the consent of the individuals concerned. Personal and health information that is shared by agencies in reliance upon these new provisions must not be held for longer than 18 months unless extenuating circumstances apply or consent has been obtained, nor can such information received by a law enforcement agency be used for the purpose of prosecuting an offence.

Other decisions in this edition

Last updated:

16 Nov 2022

We will use your rating to help improve the site.
This field is required
Please don't include personal or financial information here
This field is required
Please don't include personal or financial information here

We acknowledge Aboriginal people as the First Nations Peoples of NSW and pay our respects to Elders past, present, and future. 

Informed by lessons of the past, Department of Communities and Justice is improving how we work with Aboriginal people and communities. We listen and learn from the knowledge, strength and resilience of Stolen Generations Survivors, Aboriginal Elders and Aboriginal communities.

You can access our apology to the Stolen Generations.

Top Return to top of page Top