CONTACT US: 
Site Changes
- Note 1: Major changes to the Privacy Act 1988 will come into effect in March 2014. Agencies, businesses and not for profits need to start preparing for these changes. For more information go to our privacy law reform page at www.oaic.gov.au
- Note 2: From 12 March 2013 content is no longer being added to, or amended, on this site, consequently some information may be out of date. For new privacy content visit the www.oaic.gov.au website.
Types
C v Health Service Provider [2008] PrivCmrA 3
pdf (20.54 KB)
Case Citation:
C v Health Service Provider [2008] PrivCmrA 3
Subject Heading:
Disclosure of personal information by a health service provider
Law:
National Privacy Principle 2 in Schedule 3 of the Privacy Act 1988 (Cth)
Facts:
The complainant was a relative of a client of the health service provider. The complainant had concerns about their relative's health and sent a letter to their relative's employer, outlining those concerns and seeking the employer's intervention and assistance. The complainant marked the email as ''confidential'.
The complainant claimed that in an attempt to arrange appropriate treatment for their relative, the employer disclosed the complainant's letter directly to the relative's health service provider.
The health service provider then disclosed the complainant's name and job title to the complainant's relative, and advised the relative of the nature of the letter.
The complainant alleged that they and their family had been subjected to ongoing harassment and difficulties from the relative as a direct result of the alleged disclosures.
Issues:
National Privacy Principle 2.1 provides that an organisation must not use or disclose personal information about an individual for a purpose, other than the primary purpose of the collection, unless an exception in National Privacy Principle 2.1(a)-(h) applies.
Outcome:
Before opening an investigation, the Privacy Commissioner advised the complainant that she could not investigate the alleged disclosure of the complainant's letter by the employer to the health service provider, as this matter was not within the jurisdiction of the Privacy Act. This was because the employer was a State authority and as such, was not covered by the Commonwealth Privacy Act. The complainant was referred to the relevant State privacy legislation to pursue that specific aspect of their complaint.
The Privacy Commissioner opened an investigation into the disclosure by the health service provider of the complainant's name and job title to the complainant's relative, under section 40(1) of the Privacy Act.
Specifically, the Commissioner sought information from the health service provider in order to establish whether it had disclosed the complainant's personal information to their relative, and if so, whether the disclosure complied with National Privacy Principle 2.1
In responding to the Commissioner, the health service provider advised that it would prefer to attempt to resolve the matter by conciliation.
The Commissioner received information from the complainant that they were seeking an apology acknowledging that the health service provider had improperly disclosed their personal information.
The health service provider offered the letter of apology as full and final settlement of the complaint. The complainant and the health service provider signed a Deed of Release and the written apology was forwarded to the complainant.
The Commissioner then decided to cease the investigation under section 41(2)(a) on the grounds that the health service provider had dealt adequately with the complaint.
OFFICE OF THE PRIVACY COMMISSIONER May 2008
Get RSS feeds