Privacy, employees and human resources: a case report.
Abstract: Health practitioners are well versed in the need to maintain privacy and confidentiality of patients/clients in healthcare relationships. This need for confidentiality is likewise required when an employee of a healthcare institution becomes a patient of that institution. The question which arises is whether any information which emerges as a result of the employee also being a patient can or should be disclosed to the administration of the employing institution where such information may affect the employee or others in the workplace.

Keywords (MeSH):Privacy; Confidentiality; Patient Data Privacy; Medical Records; Health Records, Personal; Disclosure; Access to Information
Article Type: Report
Subject: Privacy, Right of (Interpretation and construction)
Breach of contract (Cases)
Nurses (Civil rights)
Hospitals (Central service department)
Hospitals (Information management)
Hospitals (Human resource management)
Author: Mair, Judith
Pub Date: 02/01/2011
Publication: Name: Health Information Management Journal Publisher: Health Information Management Association of Australia Ltd. Audience: Academic Format: Magazine/Journal Subject: Health Copyright: COPYRIGHT 2011 Health Information Management Association of Australia Ltd. ISSN: 1833-3583
Issue: Date: Feb, 2011 Source Volume: 40 Source Issue: 1
Topic: Event Code: 980 Legal issues & crime; 260 General services; 280 Personnel administration Advertising Code: 94 Legal/Government Regulation Computer Subject: Company legal issue; Company systems management; Company personnel management
Product: Product Code: 8043100 Nurses NAICS Code: 621399 Offices of All Other Miscellaneous Health Practitioners
Geographic: Geographic Scope: Australia Geographic Code: 8AUST Australia
Accession Number: 252944960
Full Text: Introduction

A case involving an allegation of breach of privacy contrary to New South Wales privacy legislation was brought by an employee of the Northern Sydney Central Coast Area Service in 2010. The employee, NK, received treatment at his employing hospital before being transferred to another treating hospital. His complaint was that a fellow employee of the hospital he was employed in sought information about him from the second treating hospital, then passed information on to the Human Resources Manager of his employing hospital. This information was then disseminated to others within the hospital as part of an internal investigation process.

The case NK v Northern Sydney Central Coast Area Health Service [2010] NSW ADT 258 was heard in the NSW Administrative Decisions Tribunal. Two issues are raised by the case. The first is the ability of an employee of one hospital to obtain information on a fellow employee being treated at another hospital. The second is the use of that information in personnel and human resources processes. The case involves both issues of personal privacy rights and the relevant state legislative provisions.

NK (the 'Applicant') was an employee of a hospital (the 'Hospital') operated by the Respondent health service. He applied to the Tribunal for a review of conduct of the Respondent Hospital between August 2008 and January 2009. The basis of his complaint was with respect to actions taken by a registered nurse ('Nurse W') employed at the Hospital and the Human Resources Manager of that Hospital after NK presented to the Emergency Department of the Hospital on 25 August 2008. The action was taken against the area health service as being vicariously liable for the conduct that its employees engaged in whilst in the course of their employment.

NK sought orders for an alleged breach of his privacy pursuant to the New South Wales Health Records and Information Privacy Act 2002 (the 'Health Privacy Act') and the Privacy and Personal Information Act 1998 (the 'Privacy Act'). In addition, he sought correction of alleged inaccuracies in his personal record, deletion of certain notes in his medical file and award of damages for psychological harm suffered as a result of the alleged breaches of privacy.

The facts and the law discussed in this report are drawn from and summarised from the Reasons for Decision of Montgomery, S - Judicial Member.

The facts

On 25 August 2008 NK was directed to take a day off out of his annual leave by Nurse M, a colleague at the Hospital. The following day, 26 August 2008, NK presented at the Emergency Department of the Hospital seeking help for anxiety and stress said to have arisen from his experiences in the workplace which included allegations of bullying and harassment by Nurse M. The Inpatient Admission Form listed NK's presenting problem as 'forced mania', 'patient states due to work situation took self off medications to have deliberate mania at work. O/E clear thinking man wanting help HX bipolar disorder' [5].

NK was assessed by Nurse W, Acting Clinical Consultant in the Integrated Psychiatric Emergency Service at the Hospital, who completed a twelve page diagnostic form in which she ticked the alert boxes for low risk of self harm and harm to others. Nurse W's notes indicated that NK had thoughts that he could harm Nurse M as he felt that he had been bullied and harassed by her and that his efforts to gain redress through complaints had been ineffective.

After assessing NK, Dr Lim, a psychiatry trainee at the Hospital, Scheduled NK under section 15 of the Mental Health Act 2007, as a mentally disordered person. Dr Lim assessed NK 'as having a moderate level of risk to himself by way of internalizing his anger which may lead to suicidality (sic), as well as a moderate level of risk to others whom he felt had unjustly treated him' [11].

NK was transferred to another hospital (the 'second Hospital') under schedule that evening where he was assessed and declared fit to be discharged on 27 August 2008. The second Hospital was not warned that NK was considered a risk to himself or anybody else's safety. Upon admission at the second Hospital, NK provided information regarding suicidal and homicidal ideation thoughts and feelings including 'homicidal thoughts against supervisor ...' [13]. When NK was released from the second Hospital the following day that Hospital's records indicated that he was no longer having the negative thoughts and feelings.

NK submitted his resignation in writing to the Hospital on 26 August 2008, alluding to various grievances of bullying and harassment allegedly experienced by him whilst working at the Hospital. NK told Nurse W about his resignation whilst being assessed by her in the Emergency Department. NK's resignation letter was provided to his supervisor, Ms A, who in turn provided a copy to the Human Resources Manager and three other staff members, Nurse M, Ms W and Ms L. Ms A asked each of them to read the resignation letter as she believed it was necessary for them to be informed that NK had resigned so that his upcoming shifts could be covered and also sought their comments in relation to the bullying allegations. Each of them denied the allegations as alleged by NK.

Given that NK had indicated in his letter that he would be sending the letter to the 'minister's office as well as my local state and federal member of government as well as the four TV stations as well as two talk back radio stations' [16], Ms A considered she was not under any obligation to keep NK's letter confidential. NK's wife and his mother later attended the Human Resources Department to retrieve the resignation letter due to NK's admission to the Emergency Department. He formally retracted his resignation on 27 August 2008.

Nurse W harboured continuing concerns regarding NK following his transfer to the second Hospital. She contacted that Hospital to inquire as to whether he was still a patient there. When she found out that NK had been discharged a day after his admission, she requested and was faxed his discharge summary form from a nurse employed at the second Hospital. Because of her continuing concerns that NK was having thoughts and feelings of a homicidal nature together with threats of self-harm and harm to Nurse M, she decided to inform her manager. Nurse W stated that she 'only intended using and disclosing this information to management given that, in my view, I was preventing a serious and imminent threat to the life, health or safety of both (NK) and/or his work colleague (Nurse M)' [18].

On 2 September 2008 Nurse W advised the Human Resources Manager that she had reviewed NK's file given the concerns she had arising from his presentation on 26 August 2008. She informed the Human Resources Manager that she had a duty of care to advise him of the threats made by NK which she considered represented a clear and present danger to himself and others. She also considered that, under the Mental Health Act, she had an obligation to report such threats and that such obligation overrode confidentiality provisions.

The Human Resources Manager contacted the Area Director (Clinical Business Unit), the Rehabilitation Coordinator and Senior HR staff. The Human Resources Manager regarded the concerns as serious and, inter alia, arranged to have NK's electronic ID card blocked so that he could not access the department, advised that NK should only be on site for medical reasons or to attend matters relating to any investigations. He also indicated to NK that he would be unable to return to work until he had undergone a specialist psychiatric assessment and received appropriate clearance. He believed that his duty of care to NK, staff and patients of the hospital and the public necessitated his providing information to relevant other persons.

On 8 September 2008, NK attended a meeting with the staff of the Human Relations Department at the Hospital to discuss his return-to-work plan. It was alleged that the Human Resources Manager told NK that Nurse W had advised him that NK had made serious threats against staff. On 23 September, NK lodged a formal grievance relating to his claims of bullying and harassment separate to a claim regarding privacy. Of particular concern to NK was 'that it would appear that my actual medical records or a summary of them had been forwarded to Human Resources. Given patient-doctor confidentiality, I find this extremely alarming' [22].

On 5 October 2008 NK alleged that he realised he needed some professional intervention but was scared to take himself to the Hospital because of the previous breaches of confidentiality. Because it was a public holiday he was unable to locate other suitable support and he subsequently attempted suicide. NK was admitted to hospital and found that the Psychiatric Registrar understood his concerns regarding the previous breach of confidentiality. NK was concerned that he could no longer access emergency treatment from the Respondent Hospital when his bipolar disorder becomes unstable and that his medical record may be discussed with the Human Resources Department of the Hospital.

On 31 October, Dr Jenneke, NK's treating psychiatrist, provided a report indicating that he considered NK fit to return to work. NK received a letter dated 18 December 2008 from the officers conducting the Fact Finding indicating that they regarded that the nature of the threats raised by Nurse W were serious enough to warrant breaking patient confidentiality.

On 6 January 2009 NK attended an appointment with his psychiatrist during which he reviewed documentation provided to the doctor by the Respondent's indemnity scheme. NK was concerned that there were inaccuracies in the documentation and that it appeared that the notes had been discussed between the Treasury Managed Fund (the Respondent's indemnity insurers) and the Human Resources Manager. NK found that the notes contained statements from staff and was particularly concerned about one such statement and the extent to which other staff had access to or reviewed his clinical notes.

On 12 January 2009 NK was provided with a copy of a risk assessment, dated 3 September 2008, which included a reference to the previously stated suicidal and homicidal thought and the specific threats towards Nurse M. NK was required to sign a consent for documentation related to his return-to-work plan to be forwarded to an independent psychiatrist for review. The same information was noted in the documentation provided to the independent psychiatrist and that it had been reported under a perceived duty of care. NK complained that the information contained within the Human Resources Manager's notes was not supported by the medical notes.

NK was shown to be fit to work following a return-to-work assessment dated 13 February 2009. However, arrangements for him to return to work had not been finalised due to the intervention of the proceedings being conducted in the Administrative Decisions Tribunal.

The law

NK's complaints revolved around the use and disclosure of his personal information regarding his medical condition as being in breach of both NSW state Privacy Acts protecting personal information. He claimed that the Respondent disclosed and used his medical record without authority. He also claimed that his personnel record was inaccurate and that such inaccurate information had been used and disclosed to third parties involved in his grievance complaint and his return-to-work assessment. He sought a damages award as compensation for psychological harm, ongoing medical and related expenses incurred by him, loss of liberty, and incremental pay increases due to the alleged numerous breaches of the Health Privacy and Information Protection Principles.

The Health Privacy Principles identified by NK as having been breached were HPP3 Collection; HPP4 Informed; HPP5 Retention and security; HPP7 Access; HPP9 Accuracy; HPP10 Use; and HPP11 Disclosure. The relevant Information Protection Principles identified by him were IPP9 Check accuracy before use; and IPP10 Limits of use.

Retention and security of medical records

NK made two complaints regarding retention and security of his medical records:

1. Unauthorised access

NK contended that Nurse W breached HPP5 by accessing his medical record on 2 September 2008 upon which she appended a notation indicating that she had reviewed the file 'due to risks identified in assessment' [36]. NK contended that the Respondent Hospital failed to protect his medical records from the unauthorised access.

NK also contended that the access by Nurse W breached PD2005 593 Privacy Manual Version 2 NSW Health, the NSW Health mandatory policy directive which stipulates that the right of access by a healthcare provider is normally terminated at the same time that an episode of care concludes for whatever reason. Dr Jenneke gave evidence that this means

A further contention by NK was that Nurse W's conduct in accessing his medical records on 2 September 2008 breached HPP9 relating to accuracy. A notation on NK's medical record made by Nurse W referred to the contact Nurse W made with the second Hospital in which she noted that she had requested and received his notes. Her conclusion from reading the notes was that NK was only kept at the second Hospital for two hours. An internal review conducted by SWAHS found that this statement was inaccurate.

Montgomery JM found that both aspects of Complaint 1, namely a breach of HPP5 and HPP9 were proven.

2. Missing information, incomplete record

NK complained that the file received by Dr Jenneke, which he had requested from the Respondent Hospital, did not contain the additional notation by Nurse W or a copy of the second Hospital medical file that had been faxed directly to her. NK contended that this was a contravention of HPP5 in that information forming his medical record was not included in it when Dr Jenneke requested it. Alternative, that access to the record was intentionally refused in contravention of HPP7.

Montgomery JM found no basis for finding that the Respondent Hospital intentionally refused Dr Jenneke's request. In his view, it was probable that the stated information was not included in NK's medical records when Dr Jenneke requested it on 11 September 2008.

Montgomery JM found that the Respondent Hospital contravened HPP5 in regard to the security of the information. He stated: 'If the information was not retained on NK's medical records it cannot be said that the Respondent had taken reasonable security safeguards to ensure that the information was protected against loss [154].

Collection of medical records

NK complained that Nurse W's contact with the second Hospital in which she discussed NK with an unknown person there and requested and received a copy of his medical records was a breach of HPP3, which provides that the collection of health information must be from the individual concerned unless it is unreasonable or impracticable to do so.

NK also complained that Nurse W's conduct constituted a breach of HPP4, which provides that an organisation that collects health information about an individual must take steps that are reasonable in the circumstances to ensure that the individual is aware of a number of matters either at or before the time it collects the information, or a soon as practicable afterwards where it is not practicable at the time.

NK submitted that Nurse W's purpose for collecting his information from the second Hospital was unclear. Nurse W stated that her justification for accessing NK's file after his discharge was that whilst NK ceased to be her patient when he was transferred to the second Hospital, he came within her catchment area once he was discharged from that Hospital. However, NK's follow-up care was to be provided by his general practitioner and his psychiatrist following his discharge from the second Hospital.

Montgomery JM agreed with NK's submission that there was no justification for Nurse W's collection of NK's information from the second Hospital. Consequently, he found that the collection from the second Hospital constituted a breach of both HPP3 and HPP4.

Use of medical records

NK pursued a number of complaints regarding the use of his medical records as follows:

1. Use of information for secondary purpose NK submitted that the Respondent Hospital breached HPP10, which provides that an organisation that holds health information must not use the information for a purpose (secondary purpose) other than the purpose (the primary purpose) for which it was collected unless the individual to whom the information relates has consented to such use; that there is a direct relation between the secondary purpose and the primary purpose and the individual could reasonably expect the organisation to use the information for the secondary purpose; or there is a serious threat to the life, health or safety of the individual or another person, or to public health or safety.

The basis of the complaint was that Nurse W approached the Human Services Manager on 2 September 2008 and discussed NK's presentation to the Emergency Department on 26 August. She also had the second Hospital's medical file in her possession. His file recorded that NK was 'co-operative, hopeful about the future' [61]. NK submitted that Nurse W held the view that NK had not been adequately treated at the second Hospital and appeared to question the opinion of the psychiatrists at that Hospital.

The Respondent Hospital submitted that Nurse W was acting in response to a serious and imminent threat to the life of Nurse M, which falls within an exception expressed in HPP10. The Respondent relied upon a report by Dr Lisa Brown who held the view that the threshold for reporting a risk is low when an individual is named. Her report referred to an article authored by her regarding the case of Tarasoff v Regents of the University of California 551 P2d 334 (1976) in which a psychologist who failed to notify a woman and her family that a patient had told him that he intended to kill the woman, his girlfriend, was held liable for failure to warn. In such circumstances the Court held that any duty the doctor owed to the patient was outweighed by the public interest in safety of the proposed victim.

Dr Jenneke thought it questionable that Nurse W should have disclosed NK's health information in the present case. As part of his evidence, Dr Jenneke stated:

Dr Jenneke doubted that the employer should be informed as the employer is not the victim. He expressed some concern about breaching privacy under the circumstances.

The case of FM v Vice Chancellor, Macquarie University [2003] NSW ADT 78 was also cited in the case. FM was accepted as a postgraduate student at UNSW with a scholarship. A person at UNSW spoke by phone to two persons at Macquarie University where the student had been previously enrolled. During the course of those phone calls the two persons at Macquarie told the inquirer that FM had been involved in conduct at Macquarie towards another student which resulted in his candidature being terminated. Based upon personal information gained from the phone calls and the student's transcript from Macquarie, which gave rise to concerns that the behaviour could be repeated at UNSW, FM's candidature at UNSW was terminated. FM applied to the Administrative Decisions Tribunal under the Privacy and Personal Information Protection Act 1998 for a review of the conduct by the employees of Macquarie University. In that case Hennessey DP held that, 'any threat must be serious and imminent' [71]. He was not persuaded that the disclosed information in that case founded reasonable grounds for a belief that the disclosure was necessary to prevent or lessen a serious and imminent threat to the life or health of any person.

The facts in the present case indicate that Nurse W disclosed NK's health information seven days after she had assessed NK. In evidence she could not recall specific threats made by NK, nor did NK's medical records contain any indication that Nurse W was concerned that NK posed a threat to himself or others at that time, only that he was having suicidal and homicidal thoughts and feelings. She did not take any steps at that time to take any special precautions in relation to alleged threats by NK, including raising her fears with Dr Lim, nor upon NK's transfer to the second Hospital. The second Hospital discharged NK the next day, satisfied that he was not a risk to himself or others. In the circumstances it was held that there was no evidence that it was at all reasonable for Nurse W to have considered NK a serious and imminent threat.

Montgomery JM agreed with NK and found that the Respondent Hospital had breached HPP10.

2. Misuse of personal information

NK asserted that the forwarding of his letter of resignation from the Hospital General Manager's office on 26 August 2008 to the Human Resources Manager and Ms A, who then forwarded it to three other members of staff so they could read and comment on it, constituted a contravention of section 17 of the Privacy Act. That section provides that:

A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless:

(a) the individual to whom the information relates has consented to the use of the information for that other purpose, or

(b) the other purpose for which the information is used is directly related to the purpose for which the information was collected, or

(c) the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person.

Montgomery JM went on to consider whether the letter of resignation constituted 'personal information' as defined in section 4 of the Privacy Act. He considered the definition to be 'very broad, and not limited to information of a private nature' [95]. That definition reads:

Section 4 (3) (b) of the Privacy Act provides that personal information does not include information about an individual that is contained in a publicly available publication. Ms A believed that the resignation letter would soon become part of the public domain given that NK had indicated that he intended to forward the letter to various parliamentarians and the media.

Montgomery JM was of the view that the resignation letter was 'personal information' as defined within the Privacy Act and that it did not fall within the exception of 'publicly available information' [101]. At the time the letter was written and after it was read, it was not 'material in a published form consistent with general, unfettered availability [100]. If NK had followed through and provided the letter to others as nominated by him that of would not, of itself, make it a 'publicly available publication'. In fact, NK did not provide the letter to any third party.

According to Montgomery JM:

The question was posed as to whether the secondary purpose of the letter, the investigation of grievances raised in NK's resignation letter, was 'directly related to the purpose for which the information was collected. Montgomery JM considered the issue of confidentiality with respect to the NSW Health Policy PD 2005-584 Grievance Resolution (Workplace) for the Department of Health and Public Health Organisations (the Grievance Policy). He was of the opinion that

According to Montgomery JM, it was appropriate for Ms A to inform staff that NK had resigned so that his upcoming shifts could be covered, however, this could have been done without providing a copy of the letter to those staff. The steps taken in giving the letter to three members of staff to read and to comment upon was inappropriate. He stated:

Thus, Montgomery JM found that the Respondent Hospital had used NK's personal information for a purpose other than that for which was collected in breach of section 17 of the Privacy Act.

3. Inappropriate use of information

NK contended that the Human Services Manager did not take reasonable steps to confirm the accuracy, relevancy or completeness of the information contained within a memo forwarded to Ms S, the Director of Business Units for the Respondent Hospital. Nor did he take steps to confirm that it was up to date and not misleading. NK contested three statements in the memo. The Human Resources Manager indicated that he had not seen NK's medical record. He had assumed that everything he was told by Nurse W was actually in the record.

When Nurse W approached the Human Resources Manager of 2 September 2008, he already had in his possession a letter from a doctor, who had treated NK on 1 September 2008, stating that NK was fit to return to work on 2 September 2008. Although this was a later medical opinion, the Human Relations Manager ignored it.

Montgomery JM was satisfied that the memo contained the inaccuracies that NK alleged. The Human Resources Manager did not take steps to ensure that the information was relevant, accurate, up-to-date, complete and not misleading before including it in the memo sent to Ms S. Therefore, the Human Resources Manager acted contrary to HPP9 and by using the information for a purpose other than for which it was collected, he had also contravened HPP10.

4. Misleading information

NK next complained about an email sent by the Human Resources Manager to Ms S with copies to four other people. In it he reported that he had received information that NK had visited Nurse M's home. NK claimed that the information was untrue and that the Human Resources Manager's email contravened section 16 of the Privacy Act, which provides:

According to Montgomery JM:

He found that the Human Resources Manager's conduct contravened section 16 of the Privacy Act.

5. Inaccurate use of information

NK complained that the information conveyed to the Human Resources Manager by Nurse W, Nurse M or Ms A and other information, which was then included in the Human Resources Manager's emails, was incorporated in a number of specified documents whereby the allegations were presented as facts without checking their accuracy. NK submitted that this action constituted a breach of HPP9 and Section 16 of the Privacy Act.

NK also contended that the information had serious and adverse consequences for him. In some cases the allegations by Nurse M and Nurse W were never investigated by the Respondent Hospital and others were never put to NK for comment. The allegations reported in the Risk Assessment resulted in NK being suspended from all duties until 30 November 2009. He claimed that the information conveyed to the Fact-Finding Committee resulted in him being denied procedural fairness in the investigation.

According to Montgomery JM:

He went on to find that the Respondent breached HPP9 and section 16 of the Privacy Act.

Accuracy of medical records

NK alleged that conduct engaged in by Nurse W on 2 September 2008 breached HPP9 which provides that an organisation that holds health information must not use the information without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading.

NK complained that information contained in his personnel file was inaccurate and was inconsistent with his health records. He claimed that the alleged threats which Nurse W reported to the Human Resources Manager were not supported by notes in his medical record. In particular, the insertion of a statement by Nurse W into the Risk Assessment, which indicated that NK 'expressed both homicidal and suicidal thoughts and made specific threats towards [Nurse M]' [79].

In reliance upon Nurse W's allegations, information along the same lines was included in an email of 2 September 2008 from the Human Resources Manager and in the documentation provided to the independent psychiatrist. The Respondent Hospital's internal review concluded that: 'Information ... that the applicant had made a specific threat against [Nurse M], was inaccurate' [88].

When she approached the Human Resources Manager with her concerns, Nurse W stated she had read NK's file which she obtained from the second Hospital, in which the latest report was that he was cooperative and hopeful about the future.

According to Montgomery JM: 'The information reported was not accurate, it was not up to date and it was misleading. In addition, the disclosure was made to the Human Resources Manager, NK's employer' [89]. For this reason he found that the Respondent Hospital had breached HPP9.


NK made three complaints regarding disclosure of his medical records:

1. Disclosure of information for secondary purpose

NK complained that the inaccurate information in the material provided to the Respondent's indemnity insurers, TMF, and that they had been discussed between the TMF Case Manager and the Human Resources Manager. He also claimed that his medical records had been provided to TMF without his consent and possibly other third parties may have had access to them.

HPP11 prohibits the disclosure of health information for a purpose other than the primary purpose for which it was collected unless that secondary purpose falls within one of the express exclusions.

According to the Respondent's internal review, it was concluded that TMF acted with the applicant's consent in seeking access to clinical notes from the applicant's admission to both hospitals. NK had signed a consent form which included

Montgomery JM held that NK's presentation at the Respondent Hospital and the second Hospital were 'directly related to the worker's compensation claim so he should have had a reasonable expectation that relevant clinical notes could be requested for the purposes of managing his injury and workers compensation claim' [145]. He found that the Respondent Hospital had not contravened HPP11 in regard to the provision of NK's medical records to TMF.

2. Inappropriate disclosure of information

NK stated that Ms A informed TMF of a conversation between herself and another member of staff (Nurse J) who felt the need to inform Ms A about an incident involving NK. Among other things this other member of staff relayed to Ms A that she 'was aware that a few weeks beforehand he was stating many strange things including that he would go off his medication so that he could have an episode to make it difficult for the Department' [147].

Further, NK claimed that Nurse M, about whom he had complained of bullying and harassment, had disclosed details of matters contained within his letter of resignation and that the conversation between Ms A and Nurse J occurred after Nurse M had seen his letter of resignation.

Montgomery JM found that the Respondent Hospital had not acted in contravention of HPP11 in providing the information to TMF. Such information concerning NK's behaviour in the workplace was directly related to his workers compensation claim and treated accordingly.

3. Inaccurate disclosure of information

NK further complained that the Human Resources Manager provided documentation to Occupational Solutions, which in turn was conveyed to Dr McLure, who were contacted to investigate NK's Workcover complaint. The information passed on included reference to inaccurate information and was relied upon by TMF to deny NK's claim. NK contended that this was a breach of HPP11 and HPP9 as well as sections 16 and 18 of the Privacy Act.

In the opinion of Montgomery PM, this information fell within the same category as above, and that the information could be provided for the purposes of managing his injury and workers compensation claim. Although the information provided was inaccurate, he found that the Respondent had not acted in contravention of HPP11, HPP9 or sections 16 or 18 of the Privacy Act.


NK submitted that the Respondent Hospital committed numerous contraventions of the Privacy and the Health Privacy Acts and that the Tribunal should consider each individual contravention separately and individually in regards to the determination of damages. The maximum damages to be awarded under the Privacy Act are set at $40,000.

Montgomery JM did not agree with NK's submission that each individual contravention by the Respondent Hospital should be considered separately in regard to determining damages. He stated: 'In my view, the term 'conduct' for the purposes of section 55 encompasses the totality of the proven occurrences that are the subject of the application' [184].

As well as determining the question of what damages could be awarded, he considered the issue of whether an award of damages was warranted. He went on to hold that an order that the Respondent Hospital pay NK damages was warranted. On the evidence before him, he was satisfied that NK suffered significant loss or damage due to the Respondent Hospital's conduct.


The Reasons for Decision document written by Montgomery JM comprises a lengthy and detailed discussion of the facts and the law in this case. This report provides a summary of some of the issues raised in the case in relation to confidentiality and privacy of patients who are also employees. Readers who are concerned to obtain more information on this case are encouraged to access a copy of the whole decision to read. (1)

Employees as patients are entitled to the same protection of privacy and confidentiality as any other patient/client in a health care service. Overriding the privacy principles, where there is a real and substantial risk of harm to the data subject or other persons, may be warranted in some circumstances, but there must be strong and cogent evidence that such a breach is warranted in order to protect the life or health of the patient/client or another person or persons from serious and imminent danger. Any complaint would be dealt with on a case-by-case basis.

Supplementary Terms: Information Protection Principle; Health Information Privacy Principles

(1) or (websites to source Australian case-law)

Judith Mair PhD, LLB, RN, RM, DNE.

Casual Lecturer

Faculty of Health Sciences, The University of Sydney

Lidcombe NSW 1825 AUSTRALIA

Tel: 0408-265-254

email: ?
... your medical record is only available to the treating
   staff at the time and once that episode of care is over,
   unless you have continued treatment from the [the
   Hospital's] Mental Health Service, your records should
   not be available to anyone unless there's a request and
   your consent has been given [39].

If the threat, if the clinician at the time thought that
   it were imminent, the word is imminent risk, then
   of course it is their duty of responsibility to take
   appropriate action, which includes informing you, the
   patient, that you are going to take this, it's necessary
   for you to take this action by informing - the victim has
   to be informed, number two, the police would often be
   informed. If you were in hospital we would normally
   put you under the Mental Health Act to protect you
   and the patient from possible harm. But the clear
   responsibility has to be that a threat was made and
   that you had the capability of doing that [70].

In this Act, personal information means
   information or an opinion (including information or an
   opinion forming part of a database and whether or not
   recorded in a material form) about an individual whose
   identity is apparent or can reasonably be ascertained
   from the information or opinion.

The primary purpose for which the resignation letter
   was collected, were to record HK's resignation and to
   record NK's grievances in relation to his workplace
   environment. The use of the letter by Ms A was a
   secondary purpose, relation to the investigation of the
   allegations. It cannot be said that NK consented to the
   use of the information for the secondary purpose as he
   was not informed that the letter would be shown to the
   other staff members [105].

... both the Human Resources Manager and Ms A had a
   responsibility to ensure that NK's letter of resignation
   remains appropriately confidential because of the
   allegations contained within it, and both had the
   responsibility to ensure that it was deposited in a
   secure place. NK was entitled to have the issues that
   he raised treated in a fair, impartial and appropriately
   confidential manner [112].

Ms A has directly breached NK's entitlement to
   confidentiality and exposed NK to the possibility of
   recrimination. This is clearly contrary to the Grievance
   policy... There were other less intrusive means available
   to the Respondent in its investigation of the allegations
   in NK's letter [115].

A public sector agency that holds personal information
   must not use the information without taking such steps
   as are reasonable in the circumstances to ensure that,
   having regard to the purpose for which the information
   is proposed to be used, the information is relevant,
   accurate, up to date, complete and not misleading.

In my view, the information to the effect that NK
   had visited Nurse M's home is personal information
   for the purposes of the Privacy Act. By including this
   information in the memo, the Human Resources
   Manager was clearly taking action in a way which was
   adverse to NK's interests and he did so without taking
   reasonable steps to ensure the information is accurate

The evidence before me supports NK's assertions in
   regard to this complaint. He has clearly been denied
   procedural fairness in regard to many aspects of this
   matter and the Respondent appears to have acted in
   total disregard to his entitlement [139].

... consent for the rehabilitation coordinators and
   associated workers compensation officers of NSCCH to
   obtain/release information from: nominated treating
   doctors, Employer, Insurer, Other treating Practitioners,
   Rehabilitation Providers, Workcover NSW for the
   purpose of managing my work related injury and
   workers compensation claim [143].
Gale Copyright: Copyright 2011 Gale, Cengage Learning. All rights reserved.