In this case the applicants alleged that the Local Health District (LHD) had breached their privacy when an employee of the LHD gained unauthorised access to the applicants’ health information.
The employee was a nurse at the LHD and the applicants were the nurse’s former wife, her mother and one of her brothers.
The applicants’ health information was recorded in the LHD’s electronic data base which was only accessible by means of a username and password. NSW Health policy requires that employees keep their passwords confidential and never leave their workstation unattended while logged in.
The nurse did not have a username or password but whilst on night duty in the early morning of 14 August 2015, found a computer that had been left logged on and used it to access the applicants’ health information.
At the time, the nurse and his former wife had a matter before the Child Support Agency and another matter before the Family Court. In connection with both those matters, the nurse provided an affidavit which the applicants alleged contained health information about them from the hospital database. The nurse maintained that the information was known to him because of his relationship with the applicants.
The applicant’s applied for an internal review of the LHD’s conduct. The internal review concluded that HPP 5 (Retention and security) had been breached because the staff member who failed to log out when she left her workstation failed to comply with the LHD’s policy. The internal review concluded that there had been no breach of the use and disclosure principles (HPPs 10 and 11).
The applicants then sought a review of the LHD’s conduct by NCAT.
The first question for NCAT was whether there had been any use or disclosure of the applicants’ health information by the LHD. NCAT concluded that the health information accessed by the nurse in breach of LHD policy was for his private purposes. The provision of the information to the Family Court and Child Support Agency was for “purposes extraneous to” the LHD. For those reasons the authority of Director General, Department of Education and Training v MT applied and there had been no use or disclosure of the applicants’ health information by the LHD.
Although the LHD had conceded that it had breached HPP5, NCAT were not bound by that concession. NCAT noted that the requirement in HPP 5.1(c) was for the LHD to take “such security safeguards as are reasonable in the circumstances” to protect health information. It did not necessarily follow that because there had been unauthorised access the LHD’s security safeguards were not reasonable in the circumstances. NCAT concluded that a further planning meeting was required to consider these issues.
Post by John Kell