Case Citation: 

D v Health Service Provider [2008] PrivCmrA 4

Subject Heading:

Unauthorised access to and security of personal information

Law:

National Privacy Principle 4.1 in Schedule 3 of the Privacy Act 1988 (Cth)

Facts:

The complainant provided their personal information to a health service provider, a private clinic, during a consultation prior to undergoing a surgical procedure.  The complainant subsequently received a telephone call from the clinic asking the complainant to return for another pre-surgical consultation.  The clinic advised the complainant that it again needed to prepare pre-surgical notes as those prepared earlier could not be located.  The clinic advised the complainant that the notes were most likely in the complainant's possession, or the clinic's cleaning staff may have misplaced them.

The complainant felt that the clinic had not taken adequate steps to protect their personal information from unauthorised access or loss, and made a complaint to the Privacy Commissioner.

Issues:

Section 6 of the Act defines personal information as information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

National Privacy Principle 4.1 provides that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

In deciding what are ''reasonable steps' to ensure data security an organisation must consider a number of factors.  For instance, what is reasonable depends on the circumstances in which personal information is held.  The sensitivity of personal information stored is also an important factor and higher levels of security could be expected for sensitive information, such as health information. 

Outcome:

The Privacy Commissioner opened an investigation into the matter under section 40(1) of the Privacy Act. 

The clinic advised the Commissioner that during the initial consultation with the complainant, the consulting doctor recorded some notes on an A4 sheet of paper.  However, the clinic asserted that the doctor did not record any information on the sheet of paper that would identify the complainant, such as their name, address or date of birth.  Immediately following the consultation the doctor realised that this A4 sheet of paper was missing.  The clinic assumed the complainant had taken the sheet of paper and contacted them to organise another consultation.

The clinic also advised the Commissioner that clinic staff did the day-to-day cleaning and that it did not have any contracted cleaners or other such persons who could have accessed the clinic's records. 

With reference to the clinic's security practices, the clinic advised the Commissioner that all patient files are kept in a lockable cabinet and only the doctor and clinic staff have access to this cabinet.  The clinic advised that it had told the complainant that cleaning staff may have lost the sheet of paper to spare embarrassment to the complainant.   

The complainant was unable to recall what specific information was recorded by the doctor on the A4 sheet of paper.  In the absence of any evidence to the contrary, the Commissioner could not be satisfied that the missing A4 sheet of paper contained any ''personal information' about the complainant in that the content of that page did not identify them, having been separated from the rest of the complainant's medical file. 

The Commissioner reached the view that the missing information consisted of one A4 sheet of paper separate from the rest of the complainant's medical file and did not meet the definition of personal information provided in the Act. 

Therefore, the Commissioner decided not to investigate the matter further under section 41(1)(a) of the Privacy Act as she was satisfied that there was no interference with the privacy of the individual.

OFFICE OF THE PRIVACY COMMISSIONER May 2008