CONTACT US: 
Site Changes
- Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
- Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.
Types
H v Health Service Provider [2007] PrivCmrA 10
pdf (20.66 KB)
Case Citation:
H v Health Service Provider [2007] PrivCmrA 10
Subject Heading:
Inappropriate disclosure of information
Law:
National Privacy Principles 2 and 4 in Schedule 3 of the Privacy Act 1988 (Cth)
Facts:
The complainant underwent a medical test at a medical centre. The results of this test were disclosed to a third party, and the complainant raised this matter with the medical centre. After further pursuit of the matter by the complainant, the disclosing employee was reprimanded for the disclosure. However this did not satisfy the complainant and they raised the issue with the Privacy Commissioner.
Issues:
National Privacy Principle 2.1 provides that an organisation must not use or disclose personal information about an individual for a purpose other than the primary purpose of the collection unless an exception in National Privacy Principle 2.1(a)-(h) applies. In particular, health information may be disclosed for a directly related secondary purpose which is within the individual's reasonable expectations.
National Privacy Principle 4.1 provides that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.
Outcome:
The Privacy Commissioner investigated the matter under section 40(1) of the Privacy Act.
National Privacy Principle 4
After gathering information about the medical centre's records handling procedures the Commissioner formed the view that the measures taken by the medical centre could be reasonably expected to protect the personal information held by the centre. These measures included staff training, physical security, logical security, internal policy and staff confidentiality agreements.
In this circumstance the standard process was departed from by a staff member. Consequently, the Commissioner did not find the medical centre had contravened National Privacy Principle 4.1.
National Privacy Principle 2
However, the Commissioner concluded that the medical centre had failed to comply with National Privacy Principle 2.1. This was because it had collected the complainant's personal information to provide a particular form of health care and used it for a different, unrelated purpose which was in no way within the complainant's reasonable expectations. Nor did the Commissioner consider any other exception in National Privacy Principle 2 permitted the disclosure of the complainant's personal information.
During conciliation the medical centre made the complainant an offer of compensation without admitting liability and the complainant accepted this offer. Satisfied with this outcome, the Commissioner closed the matter under section 41(2)(a) of the Privacy Act on the basis that the medical centre had adequately dealt with the complaint.
OFFICE OF THE PRIVACY COMMISSIONER
June 2007
Get RSS feeds