Reference to "medical reasons" breached obligations to keep health information private

Mathew Baldwin, Connie Beswick
12 May 2022
Time to read: 4.5 minutes

The circumstances of a use or disclosure on the relevant individual need to be considered when determining if there has been a breach of the Health Privacy Principles or other privacy principles.

The intersection of Health Privacy Principles (HPPs) and the functions of a public body has been explored in a recent decision in the NSW Civil and Administrative Tribunal, demonstrating the potentially broad application of the HPPs to practical scenarios.

In EIG v North Sydney Council [2022] NSWCATAD 127, the Council had received health information from an individual serving in a public role, and had to make an assessment on whether to disclose this in performing the functions of the Council. Its decision led to a breach of HPPs 4 and 11 under the Health Records and Information Privacy Act 2002 (NSW) (HRIP Act).

The HRIP Act applies both to NSW public sector agencies and private sector organisations in relation to the collection, storage, use and disclosure of a person's “health information”. The HRIP Act is similar, but applies in addition to, the obligations applying to NSW public sector agencies (as applicable) under the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) and private sector organisations under the Privacy Act 1988 (Cth); there are similar Health Privacy Principles in Victoria and the Australian Capital Territory.

North Sydney Council receives a request from a councillor

NSW's Office of Local Government had decided in-person council meetings should resume following the COVID-19 pandemic, unless a council member could justify their absence. A North Sydney councillor had made an application to justify their absence, but had expressly requested that the reasoning and information provided remain confidential for privacy reasons.

The Council disclosed in a report published on its website that an identified councillor had sought to attend Council meetings remotely for a period of five months for "medical" reasons. It had made an assessment that listing the reason for remote attendance as “medical” without further details was not “health information” within the meaning of the HRIP Act and included it in the public report. The Council also considered that a supporting medical certificate was “health information” and was not provided openly (while it was circulated to other councillors, this was not the subject of the complaint, so the Tribunal did not consider if that action was also a breach of the HPPs).

The Tribunal accepted the claim that the disclosure of this information caused significant distress, as the applicant had kept the fact of their medical condition private and had not wished to discuss it with anyone at that point in time. The applicant was also concerned that the disclosure of that information would negatively impact their re-election.

The applicant argued this disclosure was of health information and breached HPP4 and HPP 11:

  • HPP4 requires an organisation that collects health information from an individual to take reasonable steps to ensure that the individual is made aware of the purposes for which the information is being collected and the persons to whom the organisation usually discloses information of that kind; and
  • HPP11 requires that an organisation that holds health information for a purpose (secondary purpose) other than the purpose for which it was collected (primary purpose) must not disclose that information unless, relevantly, with the individual’s consent or where the secondary purpose is related to the primary purpose and the individual would reasonably expect the organisation to disclose the information for the secondary purpose.

What is “health information”?

The definition of “health information” includes non-public information, or an opinion about the physical or mental health or a disability (at any time), of an individual (section 6(a)(i) of the HRIP Act). The individual's identity must also be apparent, or be reasonably ascertainable, from the information or opinion (section 5(1) of the HRIP Act).

The Council conceded, and the Tribunal accepted, that the reference to "medical" reasons was non-public information about the applicant, whose identity was apparent from the report. The Tribunal makes clear that what amounts to the disclosure or use of “health information” depends on the context of the disclosure or use. In the context in which it was used, disclosing that the applicant had requested approval to attend meetings remotely because in-person attendance was prevented for a medical reason or reasons was found by the Tribunal to be information about the physical or mental health or disability of an individual.

The Tribunal distinguished a previous decision in DQN v The University of Sydney [2019] NSWCATAD 266 where the use of the single word “illness” was not sufficient to constitute “health information”, noting that it could not consider the full context of the use of the word “illness” in that case, focusing instead on the circumstances of the current case as being of prime importance when considering if there has been use or disclosure. While context is then critically important, that the breach came about with the use of a single word demonstrates how broadly the application of “health information” can apply in practical scenarios.

The Tribunal has also recently made other findings on what amounts to “health information” under the HRIP Act, including a statement in an internal NSW Police Force report that a person was medically discharged due to a significant psychological injury. That decision looks at when personal information becomes health information that is subject to the HRIP Act.

The breached Health Privacy Principles

The Tribunal noted in respect of HPP 4 that the applicant was not made aware of the intention to include the information in a public report when it was collected. This was enough to constitute a breach of HPP 4.

Its analysis of HPP 11 also relies heavily on the circumstances, including that the applicant expressly objected to the information being made public and so could not be taken to have consented to the disclosure and would not reasonably expect that information to be disclosed. The information was collected for the primary purpose of Council considering the applicant’s request to attend meetings remotely, and held for the secondary purpose of placing on the public record relevant information in relation to Council meetings.

The Tribunal ordered that the Council issue a further apology to the applicant, and that a notice stating that the Council breached the HPPs remain on the Council's website for a further three months from publication (a more qualified apology had previously been given). The disclosure in the report of the applicant’s reason for requesting remote attendance had already been removed.

The Tribunal found that it was beyond its powers to order that the relevant Council manager be stood down or to refer the matter to the NSW Police Force for investigation.

Financial compensation had not been sought, but could have been awarded by the Tribunal in appropriate circumstances.

Key takeaways for organisations handling personal or health information

  1. Organisations need to have processes to identify personal information and health information, and to manage them consistently with consents / notifications.
  2. When considering how to apply privacy laws, circumstances will always be of critical importance. The actual impact of a use or disclosure on the relevant individual needs to be considered when determining if there has been a breach of the relevant HPPs or other privacy principles.
  3. While not setting a formal legal precedent beyond the circumstances of the application, the decisions by the Tribunal provide good examples of the method for interpreting privacy laws. This decision shows how terms such as health information and personal information are to be interpreted under privacy laws.
  4. The decision also shows that any secondary purposes, even the Council’s duty to make proceedings public, must be balanced against the privacy of the individual.

Privacy laws are an area where there is currently a considerable focus on reform and a general move towards increasing the available powers of regulatory bodies to enforce and issue financial penalties for breaches. This is an area where getting it wrong can have hefty consequences beyond the reputational.  

Disclaimer
Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.