In Ez and Ey, 1 the Privacy Commissioner held that a medical practitioner breached the National Privacy Principles (NPP) by disclosing a patient’s medical information to a police officer.
This decision was determined based on the Privacy Act 1988 (Cth) (the Act), prior to its reforms on 12 March 2014. The Australian Privacy Principles (APP) have now replaced the NPP (except for ACT). It seems unlikely that the Commissioner’s findings would have differed if the matter was determined in accordance with the amended Act.
Following a neighbourhood dispute, the patient contacted his local police station. The police attended the patient’s house and reported that the patient explained his concerns in a ‘highly excited and at times paranoid fashion’. The patient also admitted to suffering Post Traumatic Stress Disorder and an anxiety disorder.
Subsequently, the Sergeant called the patient’s doctor to make enquiries regarding whether the patient was psychotic.The doctor advised that ‘it was possible but further assessment was needed’.
The patient became aware of this communication when he received documents from a freedom of information request.
The patient’s allegations were that the doctor:
- improperly disclosed information contained in medical records (NPP 2.1);2
- disclosed inaccurate personal information (NPP 3.1);3 and
- failed to have adequate security safeguards to protect personal information from improper disclosure (NPP 4.1).4
Disclosure of medical records
The NPP permits several situations when a patient’s personal information can be disclosed. These include where:
- it is reasonably necessary to lessen or prevent a serious and imminent threat to an individual’s life, health or safety, or a serious threat to public health or safety;5
- there is a suspicion of unlawful activity and disclosure would be necessary for investigation;6 or
- the disclosure is required or authorised by law.7
Disclosure is also permitted to an enforcement body, where an individual has reasonable belief that disclosure is necessary for the prevention, detection, investigation, prosecution or punishment of a criminal offence.8 However, this does not override the duty of confidentiality between a medical practitioner and an individual. Following a disclosure request, medical practitioners should balance the importance of the individual’s confidentiality with the public interest in the disclosure, and consider:9
- the seriousness of the situation - for instance, an investigation into an alleged murder would be more serious than property theft;
- the risks associated with disclosure without the individual’s consent or knowledge, balanced against the implications of non-disclosure;
- their relevant professional and ethical obligations; and
- whether the circumstances indicate a serious and imminent threat to the health, life or safety of any person.
The doctor submitted that the disclosure was made in good faith. As the police called her concerning someone with whom they were clearly having dealings, she believed there was a serious and imminent threat, and this made her assume that there was an investigation into unlawful activity.
The Commissioner found the doctor could not rely on these exceptions, and should have asked the Sergeant detailed questions as to the reasons for his request. It was found the doctor breached NPP 2.1.
Disclosure of inaccurate information
An organisation (including doctors) must take reasonable steps to ensure the personal information it collects, uses or discloses is accurate, complete and up to date.10 The Commissioner found that the doctor did not breach this requirement.
Adequate security safeguards
An organisation (including doctors) must take reasonable steps to protect the personal information it holds.11 The Commissioner found the doctor breached this principle, and noted that reasonable steps could have included questioning the police officer and ascertaining if there was a serious and imminent threat to the person or the public.
Following the finding that the doctor had breached NPP 2.1 and 4.1, the Commissioner ordered the doctor to personally apologise to the patient and pay the patient $6,500 for the loss caused.
Medical practitioners should take any request for disclosure of personal information very seriously. They should ask the requestor detailed questions and make adequate inquiries to ascertain that the purpose of the request falls under one of the permitted exceptions. Medical practitioners are also reminded that they must take reasonable steps to ensure the information collected, used and disclosed is accurate, complete and up to date.