Case Citation:
 

Own Motion Investigation v Medical Centre [2009] PrivCmrA 6
 

Subject Heading:

Failure to keep sensitive personal information secure

Law:

National Privacy Principle 4.1 in Schedule 3 of the Privacy Act 1988 (Cth)

Facts:

The Privacy Commissioner was informed that a number of medical documents, including patients' prescriptions and pathology results, were found scattered in a public park adjacent to a private medical centre.
 The name of the centre was visible on some of the documents.
  The documents included patients' names, addresses and phone numbers.
  The information given to the Commissioner suggested that the documents had come from a large bin at the rear of the private medical centre.

Issues:

Section 6 of the Privacy Act defines personal information as information or an opinion about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
  Sensitive information is a particular subset of personal information to which more stringent standards apply.
  It includes, but is not limited to, an individual's health information.

NPP 4.1 provides that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

In deciding what are ''reasonable steps' to ensure data security an organisation must consider a number of factors.
  For instance, what is reasonable depends on the circumstances in which personal information is held.
  The sensitivity of personal information stored is also an important factor and higher levels of security could be expected for sensitive information, such as health information.

Outcome:

The Privacy Commissioner commenced an own motion investigation under section 40(2) of the Privacy
 Act.

The medical centre responded promptly to the Commissioner's investigation as it had already commenced its own investigation into the matter.

The medical centre found that a lock on a medical waste bin, kept outside at the rear of the centre, had been tampered with and the contents of the bin thrown around an adjacent public park.
  The contents included medical documents belonging to the centre that contained individuals' personal and sensitive information.

The medical centre advised that facilities nearby the park, including rear access to a shopping centre, a car park, and a public toilet block, had previously been broken into or vandalised.

Having regard to the sensitivity of the information held by the medical centre, the Commissioner and the centre devised a number of steps that the centre could take to ensure that information was kept securely.

The medical centre advised that it had already sought council approval to have secure fencing installed around the premises to reduce the risk of break-ins and vandalism.
  It agreed to move the secure medical waste bin inside the secured premises so that it could not be tampered with.
  The bin was fitted with a new secure lock to which the medical centre manager held the key.

The medical centre developed policies and procedures for the secure destruction of personal information and trained medical and administrative staff in the proper destruction of both medical waste and medical documents.
  The medical centre instructed its staff that medical documentation was not to be left with general medical waste for collection.
  Instead, the centre obtained a shredder so that medical documents that were no longer needed could be securely destroyed on-site.

The medical centre also advised the Commissioner that it would write to all of its patients and advise them of the matter and the steps the medical centre was taking to address it.

The Commissioner considered all of the action taken by the medical centre and was satisfied that it had taken reasonable steps to protect the sensitive information it holds from misuse and loss, and from unauthorised access, modification or disclosure.
  As the medical centre had met the obligations imposed by NPP 4.1, the Commissioner ceased her own motion investigation into the matter.

OFFICE OF THE PRIVACY COMMISSIONER

May 2009