Protecting Information Rights – Advancing Information Policy

Phone iconCONTACT US: 1300 363 992
 
We're now a part of the Office of the Information Commissioner. Go to www.oaic.gov.au to find out more.

Site Changes

Types

Topic(s): Health | Sensitive information
 

P v Private Health Service Provider [2008] PrivCmrA 16

document icon pdf (22.28 KB)


Case Citation:

P v Private Health Service Provider [2008] PrivCmrA 16

Subject Heading:

Failure to destroy personal information which is no longer needed

Law:

National Privacy Principles 2 and 4.2 in Schedule 3 of the Privacy Act 1988 (Cth)

Facts:

The complainant arranged an appointment to consult a health service provider. On arrival at the clinic, the receptionist requested that the complainant complete a form that included the complainant's contact information, Medicare number and medical history.

Prior to any consultation or treatment, the complainant decided not to use the health service provider's services and requested that the health service provider destroy any personal information that they had already collected.

The health service provider refused to destroy the personal information and claimed this refusal was based on its obligations pursuant to the Medical Practice Regulations 2003 made under the Medical Practice Act 1992 (NSW).

Issues:

NPP 4.2 states that an organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under NPP 2.

NPP 2.1(g) permits use or disclosure of personal information where required or authorised by or under law.

At the time of the alleged contravention of the Privacy Act, Regulation 5 of the Medical Practice Regulations 2003 provided that a record must be maintained for each patient of the medical practitioner or corporation. Regulation 6 stated that a record must be made contemporaneously with the provision of medical treatment or other medical service. Regulation 7 stated that a record must be maintained for 7 years. Regulation 5 also stated that a contravention of Regulation 5 is unsatisfactory professional conduct.

If the health service provider could establish that it had a legal requirement or authority to retain the complainant's personal information, the reasonable steps under NPP 4.2 may be satisfied in this instance without destruction or de-identification of the complainant's personal information.

Outcome:

The Privacy Commissioner investigated the matter under section 40(1) of the Privacy Act.

The Commissioner was satisfied that the complainant was a patient of the health service provider and that the personal information collected by the health service provider constituted a 'medical record' pursuant to the Medical Practice Regulations 2003. Regulation 7 requires that a record must be made contemporaneously with the provision of medical treatment, or in this case, "other medical service." The Commissioner also found Regulation 7 of the Medical Practice Regulations 2003 required medical practitioners to maintain a record for 7 years.

The Commissioner decided that because the health service provider had a legal requirement to maintain the record of the complainant's personal information for 7 years, reasonable steps under NPP 4.2 did not include the requirement to destroy or permanently de-identify the complainant's personal information.

Therefore, the Commissioner decided not to investigate the matter further under section 41(1)(a) of the Privacy Act as she was satisfied that there was no interference with the privacy of the individual.

OFFICE OF THE PRIVACY COMMISSIONER

June 2008